Secure store

The secure store is an extended configuration database for BMC PATROL Agent to store the configuration data securely. The data stored is secured in a key format. The extended secure key store (SKS) data is stored in the BMC_ROOT\common\security\SKS\sks-<hostName>-<port>.db file.

BMC PATROL Agent now enables you to configure secure store settings using pconfig. You can modify secure store data by using pconfig and store secured information.

BMC PATROL Agent adds a new branch, /SecureStore, to enable communication with the secure store data.

The /SecureStore branch dispatches the SET/REPLACE requests on that branch to the secure store, after which the pconfig interface enables you to set data in the secure store.

You can add the /SecureStore branch by using pconfig, wpconfig (Windows), xpconfig (UNIX), PATROL Configuration Manager, or a PSL pconfig script by using the following format:

/SecureStore/var = { REPLACE = "context/data"}

BMC PATROL Agent enables you to configure the key database and the secure store settings in plain text and in encrypted format, as follows:

  • The plain text interface uses the following format:
/SecureStore/MY_KM/my/secret/var =
{REPLACE = "MY_KM1;MY_KM2;MY_KM3/mysecretdata"}

Note

If the secret data string contains the / character, the product does not behave as expected.

Example

Use the following rule to set a plain text password for the Aggregator KM:

"/SecureStore/PDS_PATROL_DataStore_config/PDS_AGGREGATOR/Nodes/<hostName>:<portNumber>" = {REPLACE = "PDS_DATABASE;PDS_DATASTORE;PDS_AGGREGATOR/<PATROLUserPassword>"}

  • The encrypted data interface leverages the pwd_encrypt executable file and enables you to encrypt the /context/data information.

    The encrypted data interface uses the following format:

    /SecureStore/MY_KM/my/secret/var = {REPLACE = "EDC10278901F8CB04CF927C82828595B62D25EC355D0AF38589CE4235A246F8C63F24575073E4ECD"}

    Use the following rule to set an encrypted password for the Aggregator KM:

    "/SecureStore/PDS_PATROL_DataStore_config/PDS_AGGREGATOR/Nodes/<hostname>:<portNumber>" = {REPLACE = "10F39746131EF76F8616B07A2FB541F44273F33A94EF0E6FFE31E5834D23C2CB905419DE2966D9DAD9E29368ED303EF3916D9CD3D27D34A4"}


    You can use the sec_encrypt_p3x or pwd_encrypt executable files to convert /context/datain the Data Encryption Standard (DES) format as follows:

  • Using the sec_encrypt_p3x executable file:

    C:\ >sec_encrypt_p3x MY_KM1;MY_KM2;MY_KM3/mysecretdata 4809C7BC4506B79AFEA5683B71439299788D5DBF044B1D1D6C1FBD8AB2BBA056C1C7D14B19C46382
    Example
    C:\ >sec_encrypt_p3x PDS_DATABASE;PDS_DATASTORE;PDS_AGGREGATOR/<PATROLUserPassword> 10F39746131EF76F8616B07A2FB541F44273F33A94EF0E6FFE31E5834D23C2CB905419DE2966D9DAD9E29368ED303EF3916D9CD3D27D34A4

  • Using the pwd_encryptexecutable file:

    C:\ >pwd_encrypt MY_KM1;MY_KM2;MY_KM3/mysecretdata 4809C7BC4506B79AFEA5683B71439299788D5DBF044B1D1D6C1FBD8AB2BBA056C1C7D14B19C46382
    Example
    C:\ > pwd_encrypt PDS_DATABASE;PDS_DATASTORE;PDS_AGGREGATOR/<PATROLUserPassword> 10F39746131EF76F8616B07A2FB541F44273F33A94EF0E6FFE31E5834D23C2CB905419DE2966D9DAD9E29368ED303EF3916D9CD3D27D34A4

When you set the secure store pconfig settings by using a version earlier than 3.8.00 of BMC PATROL Agent, the settings are stored in the pconfig database. For this reason, BMC recommends that you use encrypted data setting to ensure that an earlier version of BMC PATROL Agent does not expose unencrypted sensitive data on the interface.

Note

If the current version of BMC PATROL Agent finds a /SecureStore pconfig branch in the BMC PATROL Agent pconfig database, it removes the old pconfig branch when the agent starts.

BMC PATROL Agent fetches the data stored in the secure key store database through the sec_store_get() PSL function only. This function is called from the context that you specified in the value for the pconfig variable.

For more information about sec_store_get(), see the PATROL Script Language (PSL) Reference Manual.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*