Perform the following procedure to configure and customize an AES encryption key:
Open the propertyEncrypt.bat or propertyEncrypt.sh file and add a 16 byte key that you will use to encrypt the data with. The propertyEncrypt.bat or propertyEncyprt.sh file is located in the scripts directory of the connector installation media.
For example, %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil TEST12344321TEST
Save the file and run the propertyEncrypt.bat or propertyEncrypt.sh file.
Your input value: test12344321test
Your input value as HEX: 74657374313233343433323174657374
Final encrypted value as HEX: 52810283F6B4E0A5D82FDE935E23ED7C
Press any key to continue.
This output from the final encrypted value as HEX is the key used in the command window for both LDAP and Mainframe Agents.
In order to use your own key with the LDAP gateway, you will have to add it to the properties file for the particular mainframe connector that you are using. The property files used for the Top Secret mainframe connector is tops.properties. It will be a 32 character HEX key.
Define a property called _secretKeyValue_ to store the key you want to use.
The value defined is the same in all the property files.
For example, _secretKeyValue_=52810283F6B4E0A5D82FDE935E23ED7C
Note:
The LDAP Gateway will have to be restarted for the new key to take effect.Once you have defined the key in the LDAP property file, you will need to set the key on the mainframe side.
A MVS Job called KEYMODR will set the key on the mainframe side. It will ship with the distribution JCL files in the JCLLIB.xmi library as follows:
//ADCDZZAP JOB ,SYSTEMS,CLASS=A,MSGCLASS=X, // MSGLEVEL=(1,1),REGION=4096K,TIME=1440,NOTIFY=&SYSUID //ZAPKEY EXEC PGM=AMASPZAP //SYSPRINT DD SYSOUT=* //SYSLIB DD DISP=SHR,DSN=MLIGHT.MY.LOAD //SYSIN DD * NAME IDFRINFO IDFRINFO * VERIFY EYECATHER IS PRESENT VER 0080 C9C4,C6D9,C9D5,C6D6 'IDFRINFO' * SET KEYLEN = 100 REP 0088 0064 * SET 1ST 16 BYTES WITH YOUR KEY REP 008A 7CC7,3006,074D,E87A,A647,2FC4,3BA4,5DB1 * SET 2ND 16 BYTES WITH ANYTHING (FOR FUTURE USE) REP 009A D2D3,D4D5,D6D7,D8D9,E2E3,E4E5,E6E7,E8E9 * SET 3RD 16 BYTES WITH ANYTHING (FOR FUTURE USE) REP 00AA F6F7,F8F9,F9F9,F9F9,F9F9,F9F9,F9F9,F9F9 * SET 4th 16 BYTES WITH THE DATE (2013082013200000) REP 00BA F2F0,F1F3,F0F8,F2F0,F1F3,F3F0,F0F0,F0F0 //
To use the BATCH JCL, perform the following procedure:
Change the job card to conform to the standards of your system.
Change the below line to set the DSN where you have the linklib for the mainframe agent:
//SYSLIB DD DISP=SHR,DSN=MLIGHT.MY.LOAD
Change the below line to set your key value:
* SET 1ST 16 BYTES WITH YOUR KEY
REP 008A 7CC7,3006,074D,E87A,A647,2FC4,3BA4,5DB1
Do not change the beginning of the line REP 008A. However, you can change the rest of the line to match your key. Use 4 characters at a time followed by a comma, as shown above.
Change the below line to set the date for your key:
* SET 4th 16 BYTES WITH THE DATE (2013082013200000)
REP 00BA F2F0,F1F3,F0F8,F2F0,F1F3,F3F0,F0F0,F0F0
Do not change the beginning of the line REP 008A. However, you can change the rest of the line to match the date you changed the key.
Note:
EBCDIC HEX values for the numbers 0 through 9 are used. They are F0 through F9.The format for the date is YYYYMMDDHHMMSSMM (Year Month Day Hour Minutes Seconds Miliseconds). This is optional, but it will help in identifying the key.
After you have made the changes, you will need to submit the Job to set your changes.
Additionally, note that Pioneer and Voyager will have to be restarted for the new key take effect.
If AMASPZAP is not allowed, then follow the instructions mentioned below:
The procedure to change the key is very similar to the directions for the KEYMODR jcl. The first line for KEYBYTES will be changed after which the fourth line for the key date change will have to be changed.
EBCDIC HEX values for the numbers 0 through 9 are used. They are F0 through F9. The format for the date is YYYYMMDDHHMMSSMM (Year Month Day Hour Minutes Seconds Miliseconds). This is optional, but it will help in identifying the key.
In addition to changing the Jobcard, you must change the following in IDFRINFO:
EYECATCH DC C'IDFRINFO'
INFOLEN DC H'100'
KEYBYTES DC X'D880D7614C07088BC2D51A1945FDB6B4': Ensure that you change this key.
DC X'D8D9E2E3E4E5E6E7E8E9F0F1F2F3F4F5': This is reserved for later use. Keep it as is.
DC X'F6F7F8F9F9F9F9F9F9F9F9F9F9F9F9F9': This is reserved for later use. Keep it as is.
DC X'F2F0F0F6F1F0F2F6F1F4F2F5F0F0F0F0': This is the date key was changed.
DC 86X'0'
END IDFRINFO
Once they have changed the Key and have assembled/linked IDFRINFO, then they will have to replace the IDFRINFO that we supply.
The LDAP gateway server settings must also be updated to use the new key. To configure the LDAP gateway, perform the following steps:
Stop the LDAP gateway server (if it is running).
Open the racf.properties file, located in the LDAP_INSTALL_DIR/conf directory.
Modify the value of the _secretKey_ property to match the new key.
Save and close the file.
Restart the LDAP gateway server.