Managing the Key File Using the Key Database Manager

This topic describes how to run the Key Database Manager utility to add new encryption keys to the key file (keyfile.bin) and to change the key file password. The AES Encryptor uses the key in the key file to encrypt new data.

Caution:

You must back up the key file before making changes to it. If the key file is lost or damaged, then it is not possible to recover the encrypted data without a backup key file.

The Key Database Manager utility is named keydbmgr.exe on Microsoft Windows and keydbmgr on UNIX operating systems. It is located in the bin subdirectory of the Siebel Server directory.

Caution:

Before starting a migration installation for Siebel Enterprise Server, you must make a copy of the original key file (keyfile.bin). You must do this because when data encryption is enabled, the migration process creates a new key file overwriting your existing keyfile.bin. After the migration installation, copy back the original key file. For more information about Siebel migration installation, see Siebel Installation Guide for the operating system you are using.

To run the Key Database Manager

Shut down any server components that are configured to use encryption.

For information on shutting down server components, see Siebel System Administration Guide.
From the bin subdirectory in the Siebel Server directory, run Key Database Manager using the following syntax:
```
keydbmgr /u db_username /p db_password /l language /c config_file
```
For descriptions of the flags and parameters, see Table 4-3.
When prompted, enter the key file password:
- To add a new encryption key, see "Adding New Encryption Keys".
- To change the key file password, see "Changing the Key File Password".
To exit the utility, enter 3.
Restart any server components that were shut down in Step 1.

For information on starting server components, see Siebel System Administration Guide.

Table 4-3 lists the flags and parameters for the Key Database Manager utility.

Table 4-3 Key Database Manager Flags and Parameters

Flag	Parameter	Description
`/u`	db_username	user name for the database user
`/p`	db_password	Password for the database user
`/l`	language	Language type
`/c`	config_file	Full path to the application configuration file (siebel.cfg for Siebel Sales).

The following topics provide information on adding new encryption keys to the key file and changing the key file password:

"Adding New Encryption Keys"
"Changing the Key File Password"

Adding New Encryption Keys

You can add new encryption keys to the key file, keyfile.bin, which is located in the SIEBSRVR_ROOT/admin directory. The AES Encryptor uses the latest key in the key file to encrypt new data; existing data is decrypted using the original key that was used for encryption, even if a newer key is available. There is no limit to the number of encryption keys that you can store in the key file.

Caution:

You must back up the key file before making changes to it. If the key file is lost or damaged, then it is not possible to recover the encrypted data without a backup key file.

To add new encryption keys

Shut down any server components that are configured to use encryption.
From the SIEBSRVR_ROOT/bin directory, run Key Database Manager.

For details, see "Managing the Key File Using the Key Database Manager".
To add an encryption key to the key file, enter 2.
Enter some seed data to provide random data used in generating the new encryption key.

The key must be at least seven characters and no more than 255 characters in length.
Exit the utility by entering 3.

When exiting the Key Database Manager utility, monitor any error messages that are generated. If an error occurs, then you might have to restore the backup version of the key file.

Distribute the new key file by copying the file to the SIEBSRVR_ROOT/admin directory of all Siebel Servers in the Enterprise.

Caution:

When copying the keyfile.bin file to Siebel Servers, take care that the file does not become damaged. If the key file is damaged, then it is impossible to recover encrypted data without a backup key file.

Restart any server components that were shut down in Step 1.

For information on starting server components, see Siebel System Administration Guide.

Changing the Key File Password

The key file is encrypted by the key file password. To prevent unauthorized access, you can change the key file password using the Key Database Manager utility. The key file is re-encrypted using a new encryption key generated from the new key file password.

Before using AES encryption for the first time, change the key file password, because all versions of the Key Database Manager utility are shipped with the same default password. The default key file password is kdbpass. Consider changing the key file password regularly to make sure the file is secured.

Caution:

You must back up the key file before making changes to it. If the key file is lost or damaged, then it is not possible to recover the encrypted data without a backup key file.

To change the key file password

Shut down any server components that are configured to use encryption.
Run the Key Database Manager utility from the bin subdirectory in the Siebel Server directory.

For more information, see "Managing the Key File Using the Key Database Manager".
To change the key file password, enter 1.
Enter the new password.
Confirm the new password.
Exit the utility by entering 3.

When exiting the Key Database Manager utility, monitor any error messages that might be generated. If an error occurs, then you might have to restore the backup version of the key file.
Distribute the new key file to all Siebel Servers by copying the file to the admin subdirectory in the Siebel Server root directory.
Restart any server components that were shut down in Step 1.

For information on starting server components, see Siebel System Administration Guide.