Encrypting agent passwords using security keys
Prev	Administration-Putting VCS to work	Next

---

Encrypting agent passwords using security keys

Use the vcsencrypt utility to generate a security key to create a more secure passwords for agents.

See also Encrypting agent passwords.

Privilege requirements generating security keys

By defualt, only superusers can generate security keys.

You can grant password encryption privileges to group administrators.

See Granting password encryption privileges to group administrators.

Creating secure agent passwords

Follow these instructions to create secure passwords for agents.

To encrypt agent passwords using security keys

1. Make sure you have the privileges required to encrypt passwords.

   See Privilege requirements generating security keys.

2. Generate a security key from a node where VCS is running. You need to do this once.
   • Make the VCS configuration writable.

     haconf -makerw

   • Run the vcsencrypt utility:

     vcsencrypt -gensecinfo

   • When prompted, enter a password and press Return.

     Please enter a passphrase of minimum 8 characters.

     Passphrase:

     Generating SecInfo...please wait...

     SecInfo generated successfully.

     SecInfo updated successfully.

   • Save the VCS configuration file.

     haconf -dump

3. Encrypt the agent password with the security key that you generated.
   • On a node where VCS is running, enter the following command:

     vcsencrypt -agent -secinfo

   • When prompted, enter a password and press Return. The utility prompts you to enter the password twice.

     Enter New Password:

     Enter Again:

     The utility encrypts the password and displays the encrypted password.

4. Verify that VCS uses the new encryption mechanism.
   • Verify that the SecInfo cluster attribute is added to the main.cf file with the security key as the value of the attribute.
   • Verify that the password that you encrypted resembles the following:

     SApswd=7c:a7:4d:75:78:86:07:5a:de:9d:7a:9a:8c:6e:53:c6

Granting password encryption privileges to group administrators

Follow these instructions to grant password encryption privileges to group administrators.

To grant password encryption privileges to group administrators

• Set the value of the cluster attribute SecInfoLevel to R+A:

  haclus -modify SecInfoLevel R+A

To restrict password encrtyption privileges to superusers

• Set the value of the cluster attribute SecInfoLevel to R:

  haclus -modify SecInfoLevel R

Changing the security key

Follow these instructions to change the security key.

If you change the security key, make sure you reencrypt all the passwords that you created with the new security key. Otherwise, agents will fail to decrypt the encrypted password correctly and hence manage to monitor resources correctly.

To change security key

1. Save the VCS configuration and make it writeable.

   haconf -makerw

2. Run the following command:

   vcsencrypt -gensecinfo -force

3. Save the VCS configuration and make it read only.

   haconf -dump -makero