Security Guide for Siebel eBusiness Applications > Communications and Data Encryption > RC2 Encryption Administration >

Using Key Database Manager


The Key Database Manager utility allows you to add new encryption keys to the keyfile and to change the keyfile password. The Key Database Manager utility is named keydbmgr.exe and is located in the bin subdirectory of the Siebel Server directory.

Running Key Database Manager

Before running the Key Database Manager, make sure that the Name Server of the Siebel Gateway is running. The encryption key cache version used by the business components is stored in the Name Server.

CAUTION:  You must back up the keyfile before making changes to it. If the keyfile is lost or damaged, it may not be possible to recover the encrypted data without a backup keyfile.

To run the Key Database Manager

  1. Shut down any server components that are configured to use RC2 encryption.
  2. For information on shutting down server components, see Siebel Server Administration Guide.

  3. From the bin subdirectory in the Siebel Server directory, run keydbmgr.exe using the following syntax:
  4. keydbmgr /u db_username /p db_password /l language /c config_file

    For descriptions of the flags and parameters, see Table 4.

  5. When prompted, enter the keyfile password.
  6. To add a new encryption key, see Adding New Encryption Keys.

    To change the keyfile password, see Changing the Keyfile Password.

  7. To quit the utility, enter 3.
  8. Restart any server components that were shut down in Step 1.
  9. For information on starting server components, see Siebel Server Administration Guide.

Table 4 lists the flags and parameters for the Key Database Manager utility, keydbmgr.exe.

Table 4.  Key Database Manager Flags and Parameters
Flag
Parameter
Description
/u
db_username
Username for the database user
/p
db_password
Password for the database user
/l
language
Language type
/c
config_file
Full path to the configuration file, such as siebel.cfg

Adding New Encryption Keys

You can add new encryption keys to the keyfile. The RC2 Encryptor uses the latest key in the keyfile to encrypt new data; existing data is decrypted using the original key that was used for encryption, even if a newer key is available. There is no limit to the number of encryption keys that you can store in the keyfile.

CAUTION:  You must back up the keyfile before making changes to it. If the keyfile is lost or damaged, it may not be possible to recover the encrypted data without a backup keyfile.

To add new encryption keys

  1. Run the keydbmgr.exe utility from the bin subdirectory in the Siebel Server root directory.
  2. For information, see Running Key Database Manager.

  3. To add an encryption key to the keyfile, enter 2.
  4. Enter a seed to generate a new encryption key.
  5. The key must be at least 7 characters in length.

  6. Exit the Key Database Manager utility.
  7. When exiting the Key Database Manager utility, monitor any error messages that may be generated. If an error occurred, you may need to restore the backup version of the keyfile.

  8. Distribute the new keyfile to all Siebel Servers by copying the file to the admin subdirectory in the Siebel Server root directory.
  9. NOTE:  Field-level RC2 encryption is not supported for Mobile Web Clients or Dedicated Web Clients.

    Every Siebel Server in a deployment must use the same version of the keyfile. Inconsistent keyfiles may result in application errors. Make sure keyfiles are distributed to all machines when a new encryption key is added.

Changing the Keyfile Password

The keyfile is encrypted using an encryption key generated from a keyfile password. To prevent unauthorized access, you can change the keyfile password using the Key Database Manager utility. The keyfile will be re-encrypted using a new encryption key generated from the new keyfile password.

Before using RC2 encryption for the first time, you need to change the keyfile password because all versions of the Key Database Manager utility are shipped with the same default password. The default keyfile password is kdbpass. Consider changing the keyfile password regularly to make sure the file is secured.

CAUTION:  You must back up the keyfile before making changes to it. If the keyfile is lost or damaged, it may not be possible to recover the encrypted data without a backup keyfile.

To change the keyfile password

  1. Run the keydbmgr.exe utility from the bin subdirectory in the Siebel Server root directory.
  2. For more information, see Running Key Database Manager.

  3. To change the keyfile password, enter 1.
  4. Enter the new password.
  5. Confirm the new password.
  6. Quit the Key Database Manager utility.
  7. When exiting the Key Database Manager utility, monitor any error messages that may be generated. If an error occurred, you may need to restore the backup version of the keyfile.

  8. Distribute the new keyfile to all Siebel Servers by copying the file to the admin subdirectory in the Siebel Server root directory.
  9. NOTE:  Field-level RC2 encryption is not supported for Mobile Web Clients or Dedicated Web Clients.

    Every Siebel Server in a deployment must use the same version of the keyfile. Inconsistent keyfiles may result in application errors. Make sure keyfiles are distributed to all machines when any changes are made.


 Security Guide for Siebel eBusiness Applications 
 Published: 23 June 2003