IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Agent-based services > Centralized Configuration
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Enable password encryption in configuration files on z/OS
Agent autonomy configuration XML files include user credentials with passwords that can be entered in plain text. Securing access to these configuration files is usually adequate to secure the credentials. You can also add a layer of security by storing passwords in encrypted format within the configuration file.
If you are enabling SNMP alerts from the agent, SNMP v1 & v2c Community Strings and SNMP v3 Authentication and Privacy Passwords can be stored in encrypted format in the PCTRAPS.RKANDATV trap configuration file.
If you are enabling Centralized Configuration, the ConfigServer password attributes can be encrypted when they are stored in a PCCFGLST.RKANDATV Configuration Load List file or using the IRA_CONFIG_SERVER_PASSWORD parameter in the KPCENV environment file.
On Windows, Linux, and UNIX systems, password and community strings are encrypted and decrypted using the GSKIT encryption utilities provided by the Tivoli Management Services infrastructure. On z/OS, GSKit is known as the Integrated Cryptographic Service Facility, or ICSF. If these strings are stored in encrypted format on z/OS, the ICSF subsystem must be available on the z/OS system and the ICSF modules must be added to the z/OS monitoring agent startup PROC so that the strings can be decrypted for use by the agent.
Procedure
- Verify that you have at least one IBM cryptographic coprocessor installed and that the ICSF is installed.
- Create a KAES256 member in the RKANPARU data set in the z/OS agent runtime environment. Be sure to use the same encryption key that is used throughout your environment. If the z/OS Configuration Tool has already created a KAES256 member with the same encryption key for a Tivoli Enterprise Monitoring Server on z/OS and the z/OS agent is configured in the same runtime environment as the monitoring server, you can skip this step.
- Copy the KAES256 member from the monitoring server's RKANPARU data set to the z/OS agent's RKANPARU data set.
- Alternatively, you can copy the KAES256.ser file from the keyfiles directory of the distributed system where you will execute the itmpwdsnmp tool to encrypt password and community strings. Upload the KAES256.ser file to the KAES256 member of the z/OS agent's RKANPARU data set in binary mode. KAES256.ser is 48 bytes on distributed systems and is padded with blanks in the KAES256 member of the RKANPARU data set.
- For instructions on using the z/OS Configuration Tool to create the KAES256 member, see the "Configuring hub and remote monitoring servers on z/OS" topic in Configure the Tivoli Enterprise Monitoring Server on z/OS.
- Concatenate ICSF modules to the existing startup PROC RKANMODL DDNAME of the z/OS agent. Edit the z/OS agent startup PROC and add ICSF support to the RKANMODL DDNAME. The following example illustrates RKANMODL where CSF.SCSFMOD0 is the data set that contains ICSF decryption modules:
//RKANMODL DD DISP=SHR,DSN=my_load_modules // DD DISP=SHR,DSN=TDOMPT.&LVMLVL..MODL // DD DISP=SHR,DSN=TDOMPT.&CMSLVL..MODL // DD DISP=SHR,DSN=CSF.SCSFMOD0
- Restart the monitoring server or the z/OS monitoring agent or both.
What to do next
Use the itmpwdsnmp utility to create the encrypted password and community strings. The utility is available only in the Tivoli Enterprise Monitoring Agent framework on distributed platforms. The agent framework can be installed from the Tivoli Monitoring Base DVD or Tivoli Monitoring Agent DVD. Run the itmpwdsnmp tool in interactive mode on the distributed system to encrypt the passwords that will be placed in the configuration files. For instructions, see SNMP PassKey encryption: itmpwdsnmp.
Parent topic:
Centralized Configuration