You can use the z/OS Password Encryption Key feature
(zosPasswordEncryptionKey-1.0
) to securely store Advanced Encryption Standard (AES)
passwords in Liberty. This feature obtains
the AES encryption key for an encrypted password at run time so the password is not stored in the
server configuration.
About this task
You can specify the AES encryption key in your server configuration with the
wlp.password.encryption.key
variable. However, as a more secure alternative, you
can use a private key stored in the System Authorization Facility (SAF) key ring.
When the zosPasswordEncryptionKey-1.0
feature is enabled, you can retrieve the
AES encryption key from the System Authorization Facility (SAF) key ring by using the process
credentials instead of the configured password. When this feature is enabled, the
wlp.password.encryption.key
variable is ignored.
Procedure
- To use an encryption key that is stored in the SAF key ring, enable the
zosPasswordEncryptionKey-1.0
feature in your server.xml
file. Specify the key ring details and identify the personal certificate that holds the
private key in the
zosPasswordEncryptionKey
element.
<featureManager>
<feature>zosPasswordEncryptionKey-1.0</feature>
</featureManager>
<zosPasswordEncryptionKey keyring="safkeyring:///KEYRING" label="WLP" type="JCERACFKS" />
With
this configuration, you can access the key ring and retrieve the private key from the certificate
that is specified by the
label
attribute.
- You can also use the securityUtility encode
command to generate an AES encrypted password from the SAF key ring. While the
securityUtility
command can specify the encryption key on the command line, you can
also retrieve the encryption key from the SAF key ring. Specify the
—-keyring
,
—-keyringType
, and the
—-keyLabel
options on the command line to access the private key that is used for
the encryption key. You must be authorized to access the SAF key ring to use this option. The
following example demonstrates the correct syntax for the
securityUtility encode
command.
securityUtility encode —-encoding=aes —-keyring=safkeyring:///KEYRING1 —-keyringType=JCERACFKS —keyLabel=WLP passwordToEncrypt