21 Argus Password Management - Cryptography Tool

Argus Safety uses dynamically generated encryption keys for passwords within the system. The Cryptography Key Editor allows you to generate a dynamic key and then encrypt passwords using the said key. The generated key must be installed on each application server and must be common to allow all servers to communicate with the Argus Safety Database.

The key is stored in the ArgusSecureKey.ini file located in the .\Windows folder.

IMPORTANT: During a new environment installation, a key will need to be generated prior to creating a database.

During an upgrade, a key will need to be generated prior to upgrading or an existing key from the existing setup can be used to perform the database upgrade. Make sure that the password information specified in the database is consistent with the information provided in the ArgusSecureKey.ini file.

Note:

When the ArgusSecureKey.ini file is generated, there is no need to run this tool again while launching Argus Safety Schema Creation Tool. The tool should only be run again if you are resetting passwords, keys or have lost the ArgusSecureKey.ini file.

When the key file is created, copy it to the .\Windows folder on all application servers (web, transaction, etc.).

Note:

Do not run the Cryptography Key Editor on each application server to generate passwords. It need only be run once during the initial system setup. Subsequent server installations must have the key manually copied to each .\Windows folder.

21.1 Install or Upgrade to Argus Safety 8.1.1

Whether you are upgrading to Argus Safety 8.1.1 or installing a fresh instance of it, you must generate new key using the Cryptography Key Editor.

21.1.1 Generate New Cryptography Key

You must generate ArgusSecureKey.ini key file before running the Schema Creation tool.

  1. Launch the Cryptography Key Editor.

    The Key Editor Utility screen appears.

  2. Click New.

    The Generate Key screen appears.

  3. In the Note to be added as comment field, enter a comment that will be saved in the ArgusSecureKey.ini.

    This can be any form of metadata, such as the reason why this key was generated or for what environments it is used.

  4. Enter ARGUSUSER password.

  5. Confirm password.

  6. Click OK.

    The ArgusSecureKey.ini file is created in the

    <Installation folder> \ CryptoKeyEditor\output\<DateTimeStamp>\

  7. Click the link in the Argus Secure Key Path dialog box to open the folder in Windows Explorer.

  8. Click Close, I will copy it manually, and copy the file manually from the window that gets opened by clicking on the link mentioned above.

  9. To move the generated ArgusSecureKey.ini file to the .\Windows folder, click Copy to windows folder.

21.1.2 Argus Safety 8.1.1 Database

Run the Argus Safety Schema Creation Tool to create or upgrade the database. If you run the Schema Creation tool before creating the key, a warning message appears that the cryptography key is required.

21.1.3 Argus Safety 8.1.1 Application Servers

After setting up the application servers, copy the ArgusSecureKey.ini file from the .\Windows folder of the system, where the database is created or upgraded, and replace the .\Windows folder of each installed application server.

21.2 Reset Password or Change the Cryptography Key

21.2.1 Reset the ARGUSUSER Password

If the password for the database user ARGUSUSER has changed, you will need to reset the password in the ArgusSecureKey.ini file on all the servers.

  1. Launch the Cryptography Key Editor.

    The Key Editor Utility screen appears.

  2. Click Existing.

    The Key Editor Login or Re-encrypt ARGUSUSER screen appears.

  3. In the Enter the ARGUSUSER password field, enter the password for the database user called ARGUSUSER.

  4. Enter the name of the database in the Database name field.

  5. Click Re-encrypt.

    A confirmation dialog appears.

  6. Click Yes.

  7. Copy the updated ArgusSecureKey.ini File from the .\Windows folder to all the .\Windows folder of all the application servers.

  8. Verify that you can login to the Argus Safety application.

21.2.2 Edit Keys

An administrator might want to change a key due to various reasons like a policy to change key every few days, or to avoid network compromise, etc.

  1. Launch the Cryptography Key Editor.

    The Key Editor Utility screen appears.

  2. Click Existing.

    The Key Editor Login or Re-encrypt ARGUSUSER screen appears.

  3. Enter the ARGUSUSER password.

  4. Enter the Database name.

  5. Click Login.

    The Key Editor Options for Existing Installation screen appears.

  6. Enter the DBA User Name and User Password.

  7. Click Validate.

  8. Select the Edit Key checkbox.

    This enables the child checkboxes of User Key and Cookie Key.

    The User Key is used for all the encrypted strings which are persisted in the database or file server.

    The Cookie Key is only used to encrypt and decrypt the key.

    The user has the option to change either one or both keys.

  9. Select the checkboxes in front of the key that you want to change.

  10. Change the Key Size drop-down list value, if you wish to change the key size. Key Size is measured in bits of the key used in a cryptographic algorithm.

  11. Click Re-Generate.

    This will change the value of the checked items and the new value will be visible in the textbox.

  12. Click Execute.

    The Reason for this Action dialog box appears, prompting the user to add a reason for his action.

    The text entered here is visible in the Audit Log in the Argus Safety application.

  13. Click OK.

  14. Check the status box to verify if the operation has been successful.

  15. If the operation is successful and the Cryptography key is checked, then the changed key is now stored in the ArgusSecureKey.ini.

    You should now copy this file from the .\Windows folder of the current machine and paste it to the .\Windows folder of all web servers.

  16. When the user key is changed, all the encrypted strings in the database are re-encrypted using the new key.

    However, there are still some other file server locations where this key change must also be applied manually. The following is a list of places where the changes must be done manually:

  17. Items to be changed from the User Interface:

    String Description
    Argus Services Open Argus Safety Service Configuration: Open all the processes and enter password again.
    Cyclone Open ESM Mapping utility and re-enter the Cyclone password.
    ESM Common User Open ESM Mapping utility and re-enter the ESM Common User password.

  18. Re-enter the DBPassword in the configuration files, as explained in the following sections:

    1. Point 2 of the Section 9.1.3.1, "RelsysWindowsService.exe.config.".

    2. Point 5 of the Section 14.2, "Configure Dossier".

    3. The Section 19.7, "Product License Study Interface".

21.2.3 Re-encrypt Common User Passwords

The Key Editor Options for Existing Installation screen can also be used to change the common user (ARGUS_LOGIN, ARGUS_LOGIN_I, and ARGUS_LOGIN_IPS) passwords.

  1. Launch the Cryptography Key Editor.

    The Key Editor Utility screen appears.

  2. Click Existing.

    The Key Editor Login or Re-encrypt ARGUSUSER screen appears.

  3. Enter the ARGUSUSER password.

  4. Enter the Database name.

  5. Click Login.

    The Key Editor Options for Existing Installation screen appears.

  6. Enter the DBA User Name and User Password.

  7. Click Validate.

  8. Check the Re-encrypt checkbox.

  9. Enter the passwords for the common users.

  10. Click Execute.

    The Reason for this Action dialog box appears, prompting the user to add a reason for his action.

  11. The text entered here is visible in the Audit Log in the Argus Safety application.

  12. Click OK.

  13. Check the status box to verify if the operation has been successful.

21.2.4 Generate Encrypted String

Generate the encrypted string from clear text, using the configured UserCryptoKey in ArgusSecureKey.ini.

  1. Launch the Cryptography Key Editor.

    The Key Editor Utility screen appears.

  2. Click Existing.

    The Key Edit Login screen appears.

  3. Enter the ARGUSUSER password.

  4. Enter the Database name.

  5. Click Login.

    The Key Editor Options for Existing Installation screen appears.

  6. Enter the DBA User Name and User Password.

  7. Click Validate.

  8. Check the Generate Encrypted checkbox.

  9. Enter the password in the Clear text field.

  10. Click Execute.

    The Reason for this Action dialog box appears, prompting the user to add a reason for his action.

  11. The text entered here is visible in the Audit Log in the Argus Safety application.

  12. Click OK.

  13. Check the status box to verify if the operation has been successful. If the operation is successful, the encrypted script gets displayed in the Encrypted String field.

21.2.5 Reset Administrator and System Application User Password

  1. Launch the Cryptography Key Editor.

    The Key Editor Utility screen appears.

  2. Click Existing.

    The Key Editor Login screen appears.

  3. Enter the ARGUSUSER password.

  4. Enter the Database name.

  5. Click Login.

    The Key Editor Options for Existing Installation screen appears.

  6. Enter the DBA User Name and User Password.

  7. Click Validate.

  8. Check the Reset password for the default Administrator and System Accounts checkbox.

  9. To set Administrator password, select the respective checkbox, and enter the parameters.

  10. To set System user password, select the respective checkbox, and enter the parameters.

  11. Click Execute.

    The Reason for this Action dialog box appears, prompting the user to add a reason for his action.

    The text entered here is visible in the Audit Log in the Argus Safety application.

  12. Click OK.

  13. Check the status box to verify if the operation has been successful.

21.2.6 Reset the Environment if ArgusSecureKey.ini is Lost

  1. To generate a new key and copy it to the Windows folder, follow the steps listed in the Section 21.2.1, "Reset the ARGUSUSER Password."

  2. To re-encrypt common user passwords, follow the steps listed in the Section 21.2.3, "Re-encrypt Common User Passwords."

  3. Re-encrypt strings in the following locations:

    String Description
    LDAP Clear column LDAP_SEARCH_PASSWORD in all rows from table CFG_LDAP_SERVERS. Now open Argus Console > System Configuration > System Management > LDAP and re-enter passwords for all configurations.
    SMTP Clear column USER_PASSWORD in all rows from table CFG_SMTP. Now open Argus Console > System Configuration > SMTP Configuration and re-enter passwords for SMTP account.
    Documentum Clear column VALUE for row where SECTION='SYSTEM' AND KEY='DOCUMENTUM_PASSWORD' from table CMN_PROFILE_ENTERPRISE. Now open Argus Console > System Configuration > Common profile Switches to re-enter Documentum password.
    Argus Services Open Argus Safety Service Configuration: Open all the processes and enter password again.
    Cyclone Open ESM Mapping utility and re-enter the Cyclone password.
    ESM Common User Open ESM Mapping utility and re-enter the ESM Common User password.

  4. Re-enter the DBPassword in the configuration files, as explained in the following sections:

    1. Point 2 of the Section 9.1.3.1, "RelsysWindowsService.exe.config.".

    2. Point 5 of the Section 14.2, "Configure Dossier".

    3. The Section 19.7, "Product License Study Interface".