Encrypting Passwords
You can encrypt passwords to create an environment variable to use with infacmd, infasetup, pmcmd, and pmrep or to define a password in a parameter file.
For example, you can encrypt the repository and database passwords for pmrep to maintain security when using pmrep in scripts. Then you can create an environment variable to store the encrypted password. Or, you can define a password for a relational database connection object in a parameter file.
Use the command line program pmpasswd to encrypt passwords.
The pmpasswd utility uses a AES/CBC/PKCS5 padding cipher and generates a base64 encoded and AES 128-bit or AES 256-bit encrypted password.
The pmpasswd utility installs in the following directory:
<InformaticaInstallationDir>/server/bin
The pmpasswd utility uses the following syntax:
pmpasswd <password> [-e (CRYPT_DATA | CRYPT_SYSTEM)]
The following table describes pmpasswd options and arguments:
Option | Argument | Description |
|---|
- | password | Required. The password to encrypt. |
-e | CRYPT_DATA, CRYPT_SYSTEM | Optional. Encryption type: - - CRYPT_DATA. Use to encrypt connection object passwords that you define in a parameter file.
- - CRYPT_SYSTEM. Use for all other passwords.
Default is CRYPT_SYSTEM. |
By default, the pmpasswd utility generates AES 128-bit encrypted password. You can set the environment variable INFA_USE_AES_256_CRYPTOGRAPHER to true to enable AES 256-bit encryption for enhanced password security. In single node domain or multinode domain, ensure to shutdown the domain before setting or removing the environment variable.
When you enable the AES 256-bit encryption, the previously stored sensitive data in the environment variables does not work. You must encrypt such previously stored sensitive data again and reset the data in the environment variables after enabling AES 256-bit encryption. However, the license keys remain encrypted with AES 128-bit even if you enable AES 256-bit.
After you choose either AES 128-bit or AES 256-bit encryption, you must use the same encryption mechanism while performing a backup and restore or export and import operation. For example, if you back up a domain or repository using the AES 128-bit mechanism, you must restore the domain or repository using the same 128-bit encryption mechanism. Domain restore fails if AES 256-bit encryption is enabled for domain backup and not enabled during domain restore. In such a case, clean up the database, enable 256-bit encryption and restore the domain again.
Similarly, if you export a domain or repository using the AES 128-bit mechanism, you must import the domain or repository using the same 128-bit encryption mechanism.
Using a Password as an Environment Variable
Use the following steps as a guideline to use an encrypted password as an environment variable:
- 1. Use the command line program pmpasswd to encrypt the password.
pmpasswd generates and displays the encrypted password. For example, if you enter the password “monday,” the password encrypts to f/wRb5PZsZnqESTDPeos7Q==.
- 2. Configure the password environment variable to set the encrypted value.
Configuring a Password as an Environment Variable on UNIX
To configure a password as an environment variable on UNIX:
1. At the command line, type:
pmpasswd <password>
pmpasswd returns the encrypted password.
2. In a UNIX C shell environment, type:
setenv <Password_Environment_Variable> <encrypted password>
In a UNIX Bourne shell environment, type:
You can assign the environment variable any valid UNIX name.
Configuring a Password as an Environment Variable on Windows
To configure a password as an environment variable on Windows:
1. At the command line, type:
pmpasswd <password>
pmpasswd returns the encrypted password.
2. Enter the password environment variable in the Variable field. Enter the encrypted password in the Value field.
For information about setting environment variables on Windows, consult the Windows documentation.