Using encryption for the UIM server

If your IBM zSeries processor supports HMAC-SHA and 3DES, UIM can use them to encrypt a user's ID and password.

Related topic

Configuring the UIM serverBMC-Subsystem-Services

To enable the cryptography features of the UIM server, your IBM zSeries processor must support CPACF or attached Coprocessors. Using either of these, the UIM server can:

  • Encrypt or decrypt user credentials for more secure logon processing
  • Implement TLS to secure the all network communications

Important

We recommend using the TLS protocol because SSL protocol has been deprecated.

To enable or disable a specific level of encryption 

  1. Open your startup configuration member for editing.

    Important

    The startup member name is typically the same as the started task procedure name for the UIM server.

  2. From your startup configuration member, find the ENCRYPTION_LEVEL parameter.

    The following example shows the variable set to the default to implement TLS if the client supports encryption (SSL-IF):

     <BMC_PARM   ID='ENCRYPTION_LEVEL'
                 VALUE='SSL-IF' />
  3. Change ENCRYPTION_LEVEL to one of the following values:

    • NO

      User credentials will not be encrypted between UIM and the client.

      Warning

      When ENCRYPTION_LEVEL is set to NO, user credentials are transmitted in clear text, which is insecure and only intended for legacy support.

      BMC AMI Command Center for Db2 always encrypts user credentials to prevent security vulnerabilities. Therefore, specifying NO is not supported and will result in login failures. For secure transmission, use one of the following recommended settings:

      • SSL-IF
      • CREDENTIALS-IF

    • CREDENTIALS-IF

      If the z/Series processor and the client support encrypted credentials, encryption is used.

    • CREDENTIALS-REQUIRED

      Encrypted credentials are required and connection attempts using non-encrypted credentials will be rejected.

    • SSL-IF

      If the z/Series processor and the client support SSL/ TLS,  TLS should be used. If support does not exist, CREDENTIALS-IF is used. If that is not supported, the connection is rejected.

      When using this setting, see the following topics:

    • SSL-REQUIRED

      SSL/TLS encryption must be used on any connection, and non-SSL/ TLS connection attempts are rejected. 

      Warning

      Older clients might not support the SSL/TLS standard, and be unable to connect to the server. 

      When using this setting, see the following topics:


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*