Administer > Administer the Service Management > Record Management > Integration with Operations Orchestration > Set up encryption for an Operations Orchestration integration

How to set up encryption for an Operations Orchestration integration

Service Management provides scripts to generate public and private encryption keys and import them to the agent machine. This implements encryption between Service Management and the On-Premise Bridge agent, and ensures the security of the fields that are defined as encrypted in the original Operations Orchestration flow.

  1. Generate the encryption keys.

    In the C:\Program Files\HP\On-Premise Bridge Agent\product\util\opb directory on the On-Premise Bridge agent machine, run the following script:

    rsa_key_gen.bat

    The script generates a public key, id_rsa.pub, and a private key, id_rsa.priv. The keys are located in the same directory by default.

    There is an option to define a source of randomness when generating the keys, by adding the seed parameter and a character string of any length. For example:

    rsa_key_gen.bat -seed vb2FK8jgPTWefPOmkrAv/o44jOoYCsYu0k3Z

    Note  

    • You only need to run the script once, on one agent machine, even if you are working with multiple On-Premise Bridge agents.
    • If you prefer, you can generate the public and private key pair using a different tool, instead of the script provided by Service Management. The tool must support 2048-bit encryption according to the RSA PKCS1 standard (RFC 3447). For more information, refer to the Public-Key Cryptography Standards website.

    • If you are using a seed parameter to include randomness, make sure to use a random seed for each deployment to generate strong encryption keys and protect the seed parameter in a secure location.

  2. Enter the public key in Service Management.

    1. From the main menu, select Administration > Utilities > Integration. Click the Agents tab.

    2. Click Set encryption key.

    3. Copy the public key you created, id_rsa.pub, and paste it into the Encryption key dialog box.

    4. Click Save to save the key.

  3. If you are working with multiple On-Premise Bridge agents, copy the encryption keys to each agent machine.

  4. Import the encryption keys on the On-Premise Bridge agent machine(s).

    In the C:\Program Files\HP\On-Premise Bridge Agent\product\util\opb directory on the On-Premise Bridge agent machine, run the following script using the keys as the parameters:

    import_rsa_keys.bat –pub id_rsa.pub -priv id_rsa.priv

    Note You must run this script on each On-Premise Bridge agent machine.

    After you import the keys, restart the On-Premise Bridge agent service.

  5. For security purposes, delete the key files from the C:\Program Files\HP\On-Premise Bridge Agent\product\util\opb on each agent machine. Save a copy of the keys in a secure location.

  6. Ensure that you have permission to view the Encryption key.

    Your administrator should follow this procedure:

    1. Go to Administration > Master Data > People > Roles.
    2. Select the user's role.
    3. Under Resources, click Add.
    4. In the Add permission dialog box, select EncryptionKey from the drop-down list.
    5. Select View and click OK.
    6. Save the role.
  7. Encryption is now enabled. You can proceed with the Operations Orchestration integration.

    If you subsequently install a new On-Premise Bridge agent, you must copy the encryption keys to the new agent machine and run the import script on that agent.

Caution If you want to change the key after encryption has been enabled, you repeat the procedure from the beginning to generate new keys. In this case, you must re-enter the data (passwords) previously encrypted with the old key to encrypt them again using the new public key.

Related topics