Support for secure store and secure key store
This section details how the BMC PATROL Agent supports secure store and secure key store.
Secure store
The secure store is an extended configuration database for BMC PATROL Agent to store the configuration data securely. The data stored is secured in a key format. The extended Secure Key Store (SKS) data is stored in the BMC_ROOT\common\security\SKS\sks-<hostName>-<port>.db file.
BMC PATROL Agent enables you to configure secure store settings, modify secure store data, and store secured information by using pconfig. BMC PATROL Agent uses a new branch, /SecureStore, to enable communication with the secure store data. The /SecureStore branch dispatches the SET/REPLACE requests on that branch to the secure store, after which the pconfig interface enables you to set data in the secure store. You can add the /SecureStore branch by using pconfig, wpconfig (Windows), xpconfig (UNIX), PATROL Configuration Manager, or a PSL pconfig script by using the following format:
You can configure the key database and the secure store settings in plain text or in encrypted format, as follows:
- The plain text interface uses the following format:
{REPLACE = "MY_KM1;MY_KM2;MY_KM3/mysecretdata"}
The encrypted data interface leverages the pwd_encrypt executable file and enables you to encrypt the /context/data information.
The encrypted data interface uses the following format:/SecureStore/MY_KM/my/secret/var = {REPLACE = "EDC10278901F8CB04CF927C82828595B62D25EC355D0AF38589CE4235A246F8C63F24575073E4ECD"}
You can use the sec_encrypt_p3x or pwd_encrypt executable files to convert /context/data in the Data Encryption Standard (DES) format as follows:Using the sec_encrypt_p3x executable file:
C:\ >sec_encrypt_p3x MY_KM1;MY_KM2;MY_KM3/mysecretdata 4809C7BC4506B79AFEA5683B71439299788D5DBF044B1D1D6C1FBD8AB2BBA056C1C7D14B19C46382Using the pwd_encrypt executable file:
C:\ >pwd_encrypt MY_KM1;MY_KM2;MY_KM3/mysecretdata 4809C7BC4506B79AFEA5683B71439299788D5DBF044B1D1D6C1FBD8AB2BBA056C1C7D14B19C46382
When you set the secure store pconfig settings by using a version earlier than 3.8.00 of BMC PATROL Agent, the settings are stored in the pconfig database. For this reason, BMC recommends that you use encrypted data setting to ensure that an earlier version of BMC PATROL Agent does not expose unencrypted sensitive data on the interface.
BMC PATROL Agent fetches the data stored in the secure key store database through the sec_store_get() PSL function only. This function is called from the context that you specified in the value for the pconfig variable.
For more information about sec_store_get(), see the PATROL Script Language (PSL) Reference Manual.
Secure key store
Account credentials, user name, and password are given an extra level of security by storing them in a separate encrypted secure key store. While the password portion of the credentials has always been encrypted, in the secure key store, the entire file where sensitive data is stored is protected by an additional layer of encryption.
Sensitive data is defined as any variable name that ends with defaultAccount, such as /AgentSetup/defaultAccount or /AgentSetup/APP_CLASS.OSdefaultAccount.
The secure key store files are at the following locations:
The secure key files are compatible with standard PATROL Security utilities, such as sslcmd or plc_password. For more information about these utilities, see PATROL Security User Guide.
Default password
After installing the PATROL Agent, the key store is encrypted with the default password of password.
Changing the password
To change the encryption password:
- Use the plc_password utility as described in Using the plc_password utilityto change the encrypted password stored in the policy file and the master password used to encrypt the secure key.
- When prompted for the new password, enter, and then reenter your chosen password.
Using the plc_password utility
This section describes how to use the plc_password utility to change passwords.
Windows
From the BMC_ROOT\common\security\bin_v3.0\OS directory, run the following command, using the PATROL Agent hostname and port for <host> and <port>:
-P PATROL\SecurityPolicy_v3.0\agent
-f <BMC_ROOT>\common\security\keys\sample.bin
-k <PATROL_HOME>\config\secure_config_<host>-<port>
OpenVMS
From the Patrol3.manage directory, run @patrol$login to set the PATROL logicals. Then from the BMC$ROOT:[parm90:COMMON.SECURITY.BIN_V3_0.OS] directory, run the following command, using the PATROL Agent hostname and port for <host> and <port>:
"-P" BMC$ROOT:[common.patrold.SECURITY_POLICY_V3_0]AGENT.PLC
"-f" BMC$ROOT:[COMMON.SECURITY.KEYS]SAMPLE.BIN
"-k" PATROL$HOME:[config]SECURE_CONFIG_<host>-<port>
All other platforms
From the Patrol3 directory, source patrolrc.sh to set the environment variables. Then from the BMC_ROOT/common/security/bin_v3.0/OS directory, run the following command, using the PATROL Agent host name and port for <host> and <port>:
-P /etc/patrol.d/security_policy_v3.0/agent.plc
-f $BMC_ROOT/common/security/keys/sample.bin
-k $PATROL_HOME/config/secure_config_<host>-<port>
Migrating to secure key store
During the installation of PATROL Agent 9.5, migration to the secure key store is handled automatically. If you are manually moving configuration databases from one agent to another, use the command-line pconfig utility as described below.
a The allowsecuredatahandling privilege may be granted by creating the allowsecuredatahandling variable in the [parm90:AGENT] stanza of patrol.confand setting the value of the variable to True.
Using Secure Key Store when running multiple agents on a node
To use the secure key store when you are running multiple PATROL Agents on the same node, create the following variable as an environment variable or in the patrol.conf file.
PATROL_SKS_DBNAME = default
If this variable exists with a value of "default", the secure key store database file naming scheme is changed to allow for multiple agents. The new naming scheme is sks-<hostName> or <virtualHostName>-<portNumber>.db. For example, sks-snowy-7777.db.