How can the password encryption keys (EM.private EM.public) be regenerated for EM communication within a cluster and is it also possible to use Isengard SSL for that intra-EM communication?

Document ID : KB000032468
Last Modified Date : 14/02/2018
Show Technical Document Details

 Introduction:

 To make your CA Wily environment more secure, you can generate a new public and private key for each Collector, place the public keys on the MOM, and update the MOM's Collector properties.

 

 Question:

 We are using APM 10.0.0.12. We need to replace the out-of-the-box public and private key. Can we use Openssl to generate the keys? If it is possible can you advise the command for generating EM compatible public and private keys. 

 Since the EM.public and EM.private keys are use for communication between MOMs/CDV to Collectors, what does the keystore/truststore provide or do

securing communications between MOMs/CDV to Collectors? Rephrasing the question, when do you use the keystore and truststore - can you use it to secure the communications  between MOMs/CDV to Collectors?

 

 Environment;

 APM - all environments

 

 Answer:

 1. The keys can be regenerated using this command syntax which is documented under Define and Configure Introscope Domains in the Security section of the APM  10.0 Documentation wiki:

 For Windows:

 java -classpath  product\enterprisemanager\plugins\com.wily.introscope.em.client14_10.0.0.jar;lib\CLWorkstation.jar;product\enterprisemanager\configuration\org.eclipse.osgi\bundles\40\1\.cp\lib\WilyBouncyCastle.jar com.wily.util.encryption.KeyGenerator EM.public EM.private

 

 For Linux:

 /jre/bin/java -classpath "product/enterprisemanager/plugins/com.wily.introscope.em.client14_10.1.0.jar:lib/CLWorkstation.jar:product/enterprisemanager/configuration/org.eclipse.osgi/bundles/40/1/.cp/lib/WilyBouncyCastle.jar" com.wily.util.encryption.KeyGenerator EM.public EM.private 

 

 NOTES: The above example is for APM 10.0 & the class file name & ogi bundles directory node will change across versions. The keys are only used for password encryption/decryption and they need to be generated with the above com.wily.util.encryption.KeyGenerator.

 2. Using SSL for cluster communication between MOM & Collectors is not supported because SSL causes too much overhead for optimum communication  performance. So the only things that can be controlled are the EM public/private keys used for the password encryption. The keystore and truststore relate only to APM client-EM SSL communications i.e. agent/workstation SSL communications with the EM. This is covered in detail in existing Tech Doc TEC1782586.