How to set up encryption for an Operations Orchestration integration

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Service Management provides scripts to generate public and private encryption keys and import them to the agent machine. This implements encryption between Service Management and the On-Premise Bridge agent, and ensures the security of the fields that are defined as encrypted in the original Operations Orchestration flow.

Generate the encryption keys.

In the C:\Program Files\HP\On-Premise Bridge Agent\product\util\opb directory on the On-Premise Bridge agent machine, run the following script:

rsa_key_gen.bat

The script generates a public key, id_rsa.pub, and a private key, id_rsa.priv. The keys are located in the same directory by default.

There is an option to define a source of randomness when generating the keys, by adding the seed parameter and a character string of any length. For example:

rsa_key_gen.bat -seed vb2FK8jgPTWefPOmkrAv/o44jOoYCsYu0k3Z

Note

You only need to run the script once, on one agent machine, even if you are working with multiple On-Premise Bridge agents.
If you prefer, you can generate the public and private key pair using a different tool, instead of the script provided by Service Management. The tool must support 2048-bit encryption according to the RSA PKCS1 standard (RFC 3447). For more information, refer to the Public-Key Cryptography Standards website.
If you are using a seed parameter to include randomness, make sure to use a random seed for each deployment to generate strong encryption keys and protect the seed parameter in a secure location.

Enter the public key in Service Management.

From the main menu, select Administration > Utilities > Integration. Click the Agents tab.
Click Set encryption key.
Copy the public key you created, id_rsa.pub, and paste it into the Encryption key dialog box.
Click Save to save the key.

If you are working with multiple On-Premise Bridge agents, copy the encryption keys to each agent machine.

Import the encryption keys on the On-Premise Bridge agent machine(s).

In the C:\Program Files\HP\On-Premise Bridge Agent\product\util\opb directory on the On-Premise Bridge agent machine, run the following script using the keys as the parameters:

import_rsa_keys.bat –pub id_rsa.pub -priv id_rsa.priv

Note You must run this script on each On-Premise Bridge agent machine.

After you import the keys, restart the On-Premise Bridge agent service.

For security purposes, delete the key files from the C:\Program Files\HP\On-Premise Bridge Agent\product\util\opb on each agent machine. Save a copy of the keys in a secure location.

Ensure that you have permission to view the Encryption key.

Your administrator should follow this procedure:

Go to Administration > Master Data > People > Roles.
Select the user's role.
Under Resources, click Add.
In the Add permission dialog box, select EncryptionKey from the drop-down list.
Select View and click OK.
Save the role.

Encryption is now enabled. You can proceed with the Operations Orchestration integration.

If you subsequently install a new On-Premise Bridge agent, you must copy the encryption keys to the new agent machine and run the import script on that agent.

Caution If you want to change the key after encryption has been enabled, you repeat the procedure from the beginning to generate new keys. In this case, you must re-enter the data (passwords) previously encrypted with the old key to encrypt them again using the new public key.