Administer > System security > Encryption of configuration file settings

Encryption of configuration file settings

You can encrypt values within the Service Manager configuration file (sm.ini) to protect passwords and authentication information. The encryption scheme is ideal for connection parameters such as RDBMS or LDAP user names and passwords. Using a command line utility you can convert any value to an AES256-256-CBC encrypted value. You can then copy the encrypted value into the configuration file and add an asterisk to the beginning of the parameter name. The asterisk is a required element that indicates to the server that the parameter value is encrypted.

For example, the unencrypted value:

sqllogin:rdbmsuser/mypassword

Becomes the following value when encrypted:

*sqllogin:D51CB23B379C873CBA055FB9A3798375AC93D48BB8AE2CC773D7317E4715EAE7

After you have encrypted a configuration file value there is no way to convert it back to clear text. The Service Manager server decrypts the value for administrative purposes, but it does not save or store the decrypted value.

Note Only use the encryption scheme to encrypt server parameters in the Service Manager configuration file (sm.ini). Do not encrypt other values in other files as this may damage your system or cause data loss.

In addition, the values of the following security parameters in the sm.ini file are encrypted automatically during the server startup. You do not need to encrypt them manually.

  • changeencrkey
  • upgradeencralg
  • encryptionkey
  • sqllogin
  • ldapbindpass
  • smtppassword
  • keystorePass
  • truststorePass
  • ssl_trustedClientsPwd
  • idmsigningkey

Encrypt values in the Service Manager configuration file

Applies to User roles: System Administrator

You can use the sm -encrypt command to encrypt parameter values in the sm.ini file. You must have administrative access to the server operating system to use this procedure.

Note The values of some security parameters are encrypted automatically during the server startup, including the sqllogin parameter that is used as the example in the following task. For a list of the parameters that are encrypted automatically, see Encryption of configuration file settings.

To encrypt values in the Service Manager configuration file, follow these steps:

  1. Open the Service Manager configuration file (sm.ini).
  2. Copy the parameter name and parameter value you want to encrypt.
    For example, copy sqllogin:RDBMS user/my password.

  3. Open the operating system's command prompt.
    For example, on Windows click Start > Programs > Accessories > Command Prompt.
  4. Change directories to the RUN folder of your Service Manager installation.
    For example:
    cd C:\Program Files\Micro Focus\Service Manager\Server\RUN
  5. Type the following command:
    sm -encrypt:<parameter name>:<parameter value>
    If the string containing the <parameter name>:<parameter value> includes spaces, you must enclose the entire parameter name and value in quotation marks. For example:
    sm -encrypt:"sqllogin:RDBMS user/my password"

    Tip The sqllogin credentials are automatically encrypted and added to the sm.ini file if you configure the credentials by running the Server Configuration Utility instead of running this command.

  6. Press Enter.
    Service Manager displays the new encrypted value.
    For example:
    sqllogin:"RDBMS user/my password" is encrypted:
    99E6136711576164187C6619C6DBA9DFFC89F7EDF186BC5827E3615BE8419CD4
  7. Copy the new encrypted value.
  8. Return to the Service Manager configuration file and add an asterisk to the beginning of the parameter name.
    For example:
    *sqllogin:
  9. Replace the clear-text value with the encrypted value.
    For example:
    *sqllogin:99E6136711576164187C6619C6DBA9DFFC89F7EDF186BC5827E3615BE8419CD4
  10. Save the configuration file.

 

 

Related topics

System Security