Support for virtual secure store and secure key store

This section details how the BMC PATROL Agent supports secure store and secure key store.

Secure store

The secure store is an extended configuration database for BMC PATROL Agent to store the configuration data securely. The data stored is secured in a key format. The default path to store the extended Secure Key Store (SKS) data file is BMC_ROOT\common\security\SKS\sks-hostname-port-v10.db. User may override this default path by exporting one or both of the following environment variables.

• BMC_PATROL_SKS_PATH
• BMC_PATROL_SKS_PATH_<portnum>

Port specific environment variable takes precedence over the generic environment variable for the SKS path. If no environment variables are defined for SKS path then the secure key store (SKS) data files will be created at the default security path as mentioned above. For example, on a unix box if the user sets following environment variables:

• export BMC_PATROL_SKS_PATH=/opt/bmc/Patrol/MySKSDir/

• export BMC_PATROL_SKS_PATH_3181=/opt/bmc/Patrol/MySKSDir_3181/

The location where the extended SKS data is stored depends on the following conditions:

• If PATROL Agent is started on port 3181 then sks-hostname-port-v10.db will be created in /opt/bmc/Patrol/MySKSDir_3181/ directory.
• If PATROL Agent is started on any other port then data file will be created in /opt/bmc/Patrol/MySKSDir/ directory.
• If user doesn't export any of the two environment variables, the data file will be created at default location as %BMC_ROOT%\common\security\SKS\sks-hostname-port-v10.db

BMC PATROL Agent enables you to configure secure store settings, modify secure store data, and store secured information by using pconfig. BMC PATROL Agent uses a new branch, /SecureStore, to enable communication with the secure store data. The /SecureStore branch dispatches the SET/REPLACE requests on that branch to the secure store, after which the pconfig interface enables you to set data in the secure store. You can add the /SecureStore branch by using pconfig, wpconfig (Windows), xpconfig (UNIX), PATROL Configuration Manager, or a PSL pconfig script by using the following format:

/SecureStore/var = { REPLACE = "context/data"}

You can configure the key database and the secure store settings in plain text or in encrypted format, as follows:

• The plain text interface uses the following format:

/SecureStore/MY_KM/my/secret/var = 
{REPLACE = "MY_KM1;MY_KM2;MY_KM3/mysecretdata"}

"/SecureStore/PDS_PATROL_DataStore_config/PDS_AGGREGATOR/Nodes/<hostName>:<portNumber>" = {REPLACE = "PDS_DATABASE;PDS_DATASTORE;PDS_AGGREGATOR/<PATROLUserPassword>"}

• The encrypted data interface leverages the pwd_encrypt executable file and enables you to encrypt the /context/data information, as shown in the following format.

/SecureStore/MY_KM/my/secret/var = {REPLACE = "EDC10278901F8CB04CF927C82828595B62D25EC355D0AF38589CE4235A246F8C63F24575073E4ECD"}

"/SecureStore/PDS_PATROL_DataStore_config/PDS_AGGREGATOR/Nodes/<hostname>:<portNumber>" = {REPLACE = "10F39746131EF76F8616B07A2FB541F44273F33A94EF0E6FFE31E5834D23C2CB905419DE2966D9DAD9E29368ED303EF3916D9CD3D27D34A4"}

You can use sec_encrypt_p3x or pwd_encrypt executable files to convert /context/data in the Data Encryption Standard (DES) format as follows:

sec_encrypt_p3x executable file:

C:\ >sec_encrypt_p3x MY_KM1;MY_KM2;MY_KM3/mysecretdata 4809C7BC4506B79AFEA5683B71439299788D5DBF044B1D1D6C1FBD8AB2BBA056C1C7D14B19C46382

C:\ >sec_encrypt_p3x PDS_DATABASE;PDS_DATASTORE;PDS_AGGREGATOR/<PATROLUserPassword> 10F39746131EF76F8616B07A2FB541F44273F33A94EF0E6FFE31E5834D23C2CB905419DE2966D9DAD9E29368ED303EF3916D9CD3D27D34A4

pwd_encrypt executable file:

C:\ >pwd_encrypt MY_KM1;MY_KM2;MY_KM3/mysecretdata 4809C7BC4506B79AFEA5683B71439299788D5DBF044B1D1D6C1FBD8AB2BBA056C1C7D14B19C46382

C:\ > pwd_encrypt PDS_DATABASE;PDS_DATASTORE;PDS_AGGREGATOR/<PATROLUserPassword> 10F39746131EF76F8616B07A2FB541F44273F33A94EF0E6FFE31E5834D23C2CB905419DE2966D9DAD9E29368ED303EF3916D9CD3D27D34A4

When you set the secure store pconfig settings by using a version earlier than 3.8.00 of BMC PATROL Agent, the settings are stored in the pconfig database. For this reason, BMC recommends that you use encrypted data setting to ensure that an earlier version of BMC PATROL Agent does not expose unencrypted sensitive data on the interface.

BMC PATROL Agent fetches the data stored in the secure key store database through the sec_store_get() PSL function only. This function is called from the context that you specified in the value for the pconfig variable.

For more information about sec_store_get(), see sec_store_get().

Secure key store

Account credentials, user name, and password are given an extra level of security by storing them in a separate encrypted secure key store. While the password portion of the credentials has always been encrypted, in the secure key store, the entire file where sensitive data is stored is protected by an additional layer of encryption.

Sensitive data is defined as any variable name that ends with defaultAccount, such as /AgentSetup/defaultAccount or /AgentSetup/APP_CLASS.OSdefaultAccount.

The secure key store files are at the following locations:

The secure key files are compatible with standard PATROL Security utilities sslcmd or plc_password. For more information about these utilities, see PATROL Security User Guide.

Default password

After installing the PATROL Agent, the key store is encrypted with the default password of password.

Changing the password

To change the encryption password:

1. Use the plc_password utility as described in Using the plc_password utility to change the encrypted password stored in the policy file and the master password used to encrypt the secure key.
2. When prompted for the new password, enter, and then reenter your chosen password.

Using the plc_password utility

This section describes how to use the plc_password utility to change passwords.

Windows

From the BMC_ROOT\common\security\bin_v3.0\OS directory, run the following command, using the PATROL Agent hostname and port for <host> and <port>:

plc_password -r keystore -m unattended 
-P PATROL\SecurityPolicy_v3.0\agent 
-f <BMC_ROOT>\common\security\keys\sample.bin 
-k <PATROL_HOME>\config\secure_config_<host>-<port>

All other platforms

From the Patrol3 directory, source patrolrc.sh to set the environment variables. Then from the BMC_ROOT/common/security/bin_v3.0/OS directory, run the following command, using the PATROL Agent host name and port for <host> and <port>:

plc_password -r keystore -m unattended 
-P /etc/patrol.d/security_policy_v3.0/agent.plc 
-f $BMC_ROOT/common/security/keys/sample.bin 
-k $PATROL_HOME/config/secure_config_<host>-<port>

Migrating to secure key store

During the installation of PATROL Agent 11.3, migration to the secure key store is handled automatically. If you are manually moving configuration databases from one agent to another, use the command-line pconfig utility as described below.

The allowsecuredatahandling privilege may be granted by creating the allowsecuredatahandling variable in the [parm90:AGENT] stanza of patrol.conf and setting the value of the variable to True.

Using Secure Key Store when running multiple agents on a node

When you are running multiple PATROL Agents on the same node, the secure key store database file naming convention varies as per the value of the variable PATROL_SKS_DBNAME as described below:

• If the value of PATROL_SKS_DBNAME = default, the file is named as sks-<hostName>-<portNumber>.db or sks-<virtualHostName>-<portNumber>.db.
• If the value of PATROL_SKS_DBNAME is set by the end-user, the file name is same as this value. For example, if you set PATROL_SKS_DBNAME = test_secure_data, the secure key store database file name is test_secure_data.db

You can set the value of the PATROL_SKS_DBNAME variable using one of the following methods:

• Set the variable externally using the command prompt, for example set PATROL_SKS_DBNAME=default
• Add an entry of the variable PATROL_SKS_DBNAME in the patrol.conf file, for example PATROL_SKS_DBNAME=default