This chapter provides instructions for using the Cryptography tool in Argus Safety.
Argus Safety uses dynamically generated encryption keys for passwords within the system. The Cryptography Key Editor allows you to generate a dynamic key and then encrypt passwords using the said key. The generated key must be installed on each application server and must be common to allow all servers to communicate with the Argus Safety Database.
The key is stored in the ArgusSecureKey.ini file located in the .\Windows folder.
During a new environment installation, a key will need to be generated prior to creating a database.
During an upgrade, a key will need to be generated prior to upgrading or an existing key from the existing setup can be used to perform the database upgrade. You must also ensure that the password information specified in the database is consistent with the information provided in the ArgusSecureKey.ini file.
Once the key file has been created, it should be copied to the .\Windows folder on all application servers (web, transaction, etc.).
Note: Do not run the Cryptography Key Editor on each application server to generate passwords. It need only be run once during the initial system setup. Subsequent server installations must have the key manually copied to each .\Windows folder. |
Note: Once the ArgusSecureKey.ini file has been generated, there is no need to run this tool again while launching Argus Safety Schema Creation Tool. The tool should only be run again if you are resetting passwords, keys or have lost the ArgusSecureKey.ini file. |
Whether you are upgrading to Argus Safety 7.0.2 or installing a fresh instance of it, it will be necessary to generate new keys using the Cryptography Key Editor. The first step is to create or upgrade the database. After creating or upgrading the database, all application servers will need to be updated by copying the ArgusSecureKey.ini to their respective .\Windows folder.
Prior to creating a 7.0.2 database or upgrading to a 7.0.2 database, a new Cryptography Key needs to be generated using the Cryptography Key Editor. Running the Schema Creation tool prior to creating the key will inform the user that the cryptography key is required.
To generate a new Cryptography key, refer to the Generating a New Cryptography Key section.
You must also run the Argus Safety Schema Creation Tool to create or upgrade the database.
After the application servers have been installed with 7.0.2, copy the ArgusSecureKey.ini file from the .\Windows folder of the system which was used to create or upgrade the database to the .\Windows folder of each installed application server.
Prior to running the Schema Creation tool the first time, it is necessary to generate a key file (ArgusSecureKey.ini) using the Cryptography Key Editor.
To create a new Cryptography Key, follow these steps:
Launch the Cryptography Key Editor. The Key Editor Utility screen appears.
Click New.
The following screen appears.
In the Note to be added as comment field, enter a comment that will be saved in the ArgusSecureKey.ini. This can be any form of metadata, such as why this key was generated or for what environments it is used.
In the Enter ARGUSUSER password field, enter the password for the database user called ARGUSUSER.
Confirm the password in the Confirm password field.
Click OK. The ArgusSecureKey.ini file gets created in the <Installation folder> \ CryptoKeyEditor\output\<DateTimeStamp>\.The Argus Secure Key Path dialog is displayed.
Click the link in the Argus Secure Key Path dialog to open the folder in Windows Explorer.
Click Close, I will copy it manually to close the dialog and copy the file manually from the window that gets opened by clicking on the link mentioned above (in step 9).
Click Copy to windows folder to move the generated ArgusSecureKey.ini file to the .\Windows folder.
This section lists the steps to perform the following tasks:
If the password for the database user "ARGUSUSER" has changed, you will need to reset the password in the ArgusSecureKey.ini file on all the servers.
Execute the following steps to reset the ARGUSUSER password:
Launch the Cryptography Key Editor. The Key Editor Utility screen appears.
Click Existing. The Key Editor Login or Re-encrypt ARGUSUSER screen appears.
In the Enter the ARGUSUSER password field, enter the password for the database user called ARGUSUSER.
Enter the name of the database in the Database name field.
Click Re-encrypt. The following dialog appears.
Click Yes.
Copy the updated ArgusSecureKey.ini File from the .\Windows folder to all the .\Windows folder of all the application servers.
Verify that you can login to the Argus Safety application.
An administrator might want to change a key due to various reasons like a policy to change key every few days, network compromise, etc.
Execute the following steps to edit the cryptography keys:
Launch the Cryptography Key Editor. The Key Editor Utility screen appears.
Click Existing. The Key Editor Login or Re-encrypt ARGUSUSER screen appears.
In the Enter the ARGUSUSER password field, enter the password for the database user called ARGUSUSER.
Enter the name of the database in the Database name field.
Click Login. The following Key Editor Options for Existing Installation screen appears.
Enter the DBA User Name and User Password.
Click Validate.
Check the Edit Key checkbox. This enables the child checkboxes of User Key and Cookie Key.
The User Key is used for all the encrypted strings which are persisted in the database or file server.
The Cookie Key is only used to encrypt and decrypt the key.
The user has the option to change either one or both keys.
Select the checkboxes in front of the key that you want to change.
Change the Key Size drop-down list value, if you wish to change the key size. Key Size is measured in bits of the key used in a cryptographic algorithm.
Click Re-Generate. This will change the value of the checked items and the new value will be visible in the textbox.
Click Execute. The Reason for this Action dialog is displayed, prompting the user to add a reason for his action.
The text entered here is visible in the Audit Log in the Argus Safety application.
Click OK.
Check the status box to verify if the operation has been successful.
If the operation is successful and the Cryptography key is checked, then the changed key is now stored in the ArgusSecureKey.ini. You should now copy this file from the .\Windows folder of the current machine and paste it to the .\Windows folder of all web servers.
When the user key is changed, all the encrypted strings in the database are re-encrypted using the new key. However, there are still some other file server locations where this key change must also be applied manually. The following is a list of places where the changes must be done manually:
Items to be changed from the User Interface:
Argus Services: Open Argus Safety Service Configuration: Open all the processes and enter password again
Cyclone: Open ESM Mapping utility and reenter Cyclone password
ESM Common User: Open ESM Mapping utility and reenter ESM Common user password
Re-enter the DBPassword in the configuration files, as explained in the following sections:
Point 2 of the RelsysWindowsService.exe.config sub-section
Point 5 of the Configuring the Dossier Application section
The Product License Study Interface section
The Key Editor Options for Existing Installation screen can also be used to change the common user (ARGUS_LOGIN, ARGUS_LOGIN_I, and ARGUS_LOGIN_IPS) passwords.
Execute the following steps to re-encrypt the common user passwords:
Launch the Cryptography Key Editor. The Key Editor Utility screen appears.
Click Existing. The Key Editor Login or Re-encrypt ARGUSUSER screen appears.
In the Enter the ARGUSUSER password field, enter the password for the database user called ARGUSUSER.
Enter the name of the database in the Database name field.
Click Login. The following Key Editor Options for Existing Installation screen appears.
Enter the DBA User Name and User Password.
Click Validate.
Check the Re-encrypt checkbox.
Enter the passwords for the common users.
Click Execute. The Reason for this Action dialog is displayed, prompting the user to add a reason for his action.
The text entered here is visible in the Audit Log in the Argus Safety application.
Click OK.
Check the status box to verify if the operation has been successful.
Generate the encrypted string from clear text, using the configured UserCryptoKey in ArgusSecureKey.ini.
Execute the following steps to re-encrypt the common user passwords:
Launch the Cryptography Key Editor. The Key Editor Utility screen appears.
Click Existing. The Key Edit Login screen appears.
In the Enter the ARGUSUSER password field, enter the password for the database user called ARGUSUSER.
Enter the name of the database in the Database name field.
Click Login. The following Key Editor Options for Existing Installation screen appears.
Enter the DBA User Name and User Password.
Click Validate.
Check the Generate Encrypted checkbox.
Enter the password in the Clear text field.
Click Execute. The Reason for this Action dialog is displayed, prompting the user to add a reason for his action.
The text entered here is visible in the Audit Log in the Argus Safety application.
Click OK.
Check the status box to verify if the operation has been successful. If the operation is successful, the encrypted script gets displayed in the Encrypted String field.
This section lists the steps to be followed in resetting the environment if the ArgusSecureKey.ini is lost. In such a scenario, execute the following steps:
Follow the steps listed in the Resetting the ARGUSUSER Password section to generate a new key and copy it to the Windows folder.
Follow the steps listed in the Re-encrypting Common User Passwords section to re-encrypt common user passwords.
Re-encrypt strings in the following locations:
LDAP: Clear column LDAP_SEARCH_PASSWORD in all rows from table CFG_LDAP_SERVERS. Now open Argus Console -> System Configuration -> System Management -> LDAP and re-enter passwords for all configurations
SMTP: Clear column USER_PASSWORD in all rows from table CFG_SMTP. Now open Argus Console -> System Configuration -> SMTP Configuration and re-enter passwords for SMTP account
Documentum: Clear column VALUE for row where SECTION='DATABASE' AND KEY='DOCUMENTUM_PASSWORD' from table CMN_PROFILE_ENTERPRISE. Now open Argus Console -> System Configuration ->Common profile Switches to re-enter Documentum password
Argus Services: Open Argus Safety Service Configuration: Open all the processes and enter password again
Cyclone: Open ESM Mapping utility and re-enter the Cyclone password
ESM Common User: Open ESM Mapping utility and re-enter the ESM Common User password
Re-enter the DBPassword in the configuration files, as explained in the following sections:
Point 2 of the RelsysWindowsService.exe.config sub-section
Point 5 of the Configuring the Dossier Application section
The Product License Study Interface section