You can run the proxy server in secure mode. When you specify
the SecureMode property or the -secure command-line
option, the proxy server authenticates probe connections by requiring
a user name and password.
When a connection request is sent, the proxy server issues
an authentication message. The probe must respond with the correct
user name and password.
If you do not specify the -secure option,
probe connection requests are not authenticated.
When connecting
to a secure proxy server, each probe must have an AuthUserName property
and AuthPassword property specified in its properties
file. If the user name and password combination is incorrect, the
proxy server issues an error message.
You can choose any valid
user name for the AuthUserName property.
Password
encryption details for running in FIPS 140–2 mode and non-FIPS 140–2
mode are described in the following table.
Table 1. Password
encryption in FIPS 140–2 mode and non-FIPS 140–2 mode| Mode |
Action |
|---|
FIPS 140–2 mode
|
When in FIPS 140–2 mode, passwords
can either be specified in plain text or in encrypted format. You
can encrypt passwords by using property value encryption, as follows:
- If you do not yet have a key
for encrypting the password, create one by running the nco_keygen utility,
which is located in $NCHOME/omnibus/bin.
- Run the nco_aes_crypt utility
to encrypt the password with the key that was generated by the nco_keygen utility.
The nco_aes_crypt utility is also located in $NCHOME/omnibus/bin.
Note that you must specify AES_FIPS as the algorithm
to use for encrypting the password.
- Open the properties file to which
you want to add the encrypted password and specify this encrypted
output for the AuthPassword setting.
Note: You must also set the ConfigKeyFile property
to the key file that you specified when running nco_aes_crypt,
and set the ConfigCryptoAlg property to the encryption
algorithm used.
|
Non-FIPS 140–2 mode
|
When in non-FIPS 140–2 mode, passwords
can either be specified in plain text or in encrypted format. However,
the client always transmits encrypted login information irrespective
of the password encryption that is used in the properties file. You
can encrypt passwords by using the nco_g_crypt utility
or by using property value encryption, as follows:
- To encrypt a password by using the nco_g_crypt utility,
run the command as follows:
$NCHOME/omnibus/bin/nco_g_crypt plaintext_password
In
this command, plaintext_password represents the
unencrypted form of the password. The nco_g_crypt utility
takes the unencrypted password and displays an encrypted version.
Open the properties file to which you want to add the encrypted password
and specify this encrypted output for the AuthPassword setting.
- To encrypt a password by using property
value encryption, you require a key that is generated with the nco_keygen utility.
You can then run nco_aes_crypt to encrypt the password
with the key. Note that you can specify either AES_FIPS or AES as
the algorithm for encrypting the password. Use AES only
if you need to maintain compatibility with passwords that were encrypted
using the tools provided in versions earlier than Tivoli Netcool/OMNIbus V7.2.1.
Open
the file to which you want to add the encrypted password and specify
this encrypted output for the AuthPassword setting.
Note: You must also set the ConfigKeyFile property
to the key file that you specified when running nco_aes_crypt,
and set the ConfigCryptoAlg property to the encryption
algorithm used.
|
If the ObjectServer is running in secure mode, the proxy
server must also have the AuthUserName and AuthPassword properties
in its property file to connect the ObjectServer. If the user name
and password combination is incorrect, the ObjectServer issues an
error message. The AuthPassword value can be
in plain text or encrypted, as described in the preceding table.
Attention: Passwords encrypted with nco_g_crypt can
be used in the same way as unencrypted passwords to access the ObjectServer.
Therefore, you must set appropriate permissions on any files containing
encrypted passwords to prevent unauthorized access. Alternatively,
passwords that have been encrypted with nco_g_crypt must
be further encrypted with nco_aes_crypt, and permissions
on the key file must be set appropriately.
For
further information about the probe properties, see the IBM Tivoli Netcool/OMNIbus
Probe and Gateway Guide.