Command Line Interface Encryption

Document ID : KB000038594
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

How to configure WAAE 11.3.x for encryption in order to encrypt and secure data content between the Command Line Interface which is also known as CLI and the Application Server.

Background:

There may be a need for the Command Line Interface command's data to be secured or prevent another Command Line Interface that is warranted from accessing data from a particular WAAE instance.


Environment:

WAAE 11.3.x and above/UNIX

Instructions:

1. On the Scheduler and application server, modify the config. $AUTOSERV file located in the $AUTOUSER directory by changing UseEncryption=1 to UseEncryption=2.
   2 = Specifies that a  user-specified encryption key is used to encrypt data.

2. Stop and restart the CA-WAAE services. Change directory to the /etc/init.d. Then issuing the following command: ./CA-WAAE restart

3. On the server where the CLI(Command Line Interface) is installed, modify the config. $AUTOSERV file located in the $AUTOUSER directory, by changing UseEncryption=1 to UseEncryption=2
    2 = Specifies that a  user-specified encryption key is used to encrypt data.

4. Stop and restart the CA-WAAE services. Change the directory to the /etc/init.d. Then issuing the following command: ./CA-WAAE restart

5. From the Scheduler server, issue the as_config with –g to create a custom encryption key
   For example: as_config –g TEST123
   Note: The command will overwrite the current cryptkey.txt located in the $AUTOUSER directory.

6. From the server where the CLI is installed issue the as_config with –g to create a custom encryption key. When you issue this command the custom entry must be the same as you had entered it on the Scheduler server.

Note:
1. You can also copy the cryptkey.txt file that is on the Scheduler server to the server where the CLI is installed, placing in the $AUTOUSER directory.

2. If the keys do not match, when a CLI command is performed, the command will time out. A message will appear:
    CAUAJM_E_10527 Timed out waiting for response from the CA WAAE Application Server: [hostname:9000]
    CAUAJM_E_50033 Error initializing tx subsystem:  CAUAJM_E_10062 Failed to get initial configuration from CA WAAE Application Server(s).
3. When UseEncryption is set to 2, DEFAULT encryption for Agent communication is not in use. What needs to be done is configure the Agent’s machine definition and     agent’s cryptkey.txt file for custom encryption key.

Configuring the Agent for custom encryption
1. UseEncryption must be set to 2. This task is may have already been performed if you had  configured Encryption for CLI. If this is the first time configuring Agent custom encryption, then perform the    following: On the Scheduler server, modify the config.$AUTOSERV file located in the $AUTOUSER directory, by changing UseEncryption=1 to UseEncryption=2.
2. Update all the machine definitions, adding encryption_type and key_to_agent.
   a. Encryption_type is set to AES
   b. Key_to_agent is the custom key entry.

 
Example:
insert_machine: agent1
type: a
factor: 1.00
port: 7520
node_name: agent1
agent_name: WA_AGENT
/* key_to_agent: *** masked value ***/
encryption_type: AES
character_code: ASCII

3. Execute as_config –g to create a new cryptkey.txt with a new custom passkey. If you are using the same    passkey as the CLI encryption passkey, you do not need to execute this step. Proceed to the step 4. If you    are not using the same passkey, beware that this action will overwrite the previous cryptkey.txt located in    the $AUTOUSER directory.  It is recommended that you back up and keep track of the cryptkey.txt file.
4. Copy the custom cryptkey.txt file for the Agent encryption from the $AUTOUSER directory to the Agent    install directory. This will overwrite the default cryptkey.txt for the Agent.
5. Restart the Agent service.

Note: Validate that you can autoping –M all the agents.

Additional Information:

1. Information regarding encryption_type and key_to_agent can be found at the following url:
   https://docops.ca.com/ca-wla-ae-wcc/11-4-2/en/reference/ae-job-information-language/jil-machine-definitions/insert_machine-subcommand-add-a-machine-definition
2. If there are already defined Agents using the encryption_type of DEFAULT then all agents need to be delete and reinserted with the proper encryption_type.
3. Key_to_agent custom keys can be unique to each agent only if the agent_name is also unique