Modification of the default cipher settings is a relatively straightforward process, but needs to be adequately planned and tested.
You will require an application restart for the changes to be implemented and depending on the size and topology of your organization and deployments you need to choose a time when in-progress changes won't be an impact.
Also, consider any data (e.g., properties containing encrypted passwords) managed by the Cúram Transport Manager (CTM) that will either need to be updated or managed to prevent systems from being out of sync with one another (see the Cúram Transport Manager Guide for more information).
Modification of the default cipher settings involves the following steps:
- Choosing new settings for the CryptoConfig.properties and underlying artifacts - see Cúram Cipher Settings
- Depending on the settings, you may need to perform additional steps (e.g. when modifying the keystore as per How to Create a New Keystore).
- Modify the CryptoConfig.properties file; note the default location is <SERVER_DIR>/project/properties.
- Remove any existing CryptoConfig.jar files (these contain CryptoConfig.properties) and are found in the <JAVA_HOME>/jre/lib/ext directory ($JAVA_HOME/lib/ext on IBM® z/OS®). If any Cúram clients or servers are running these will need to be terminated in order to be able to deploy an updated CryptoConfig.jar file with the updated settings.
- Re-encrypt the passwords in all existing property files as identified in Cipher-Encrypted Passwords. The Apache Ant configtest, configure, and installapp targets will place an updated CryptoConfig.jar file in the Java lib/ext directory.
- Test and verify your changes.
Testing of your changes should include verifying any functionality that would be impacted; for example:
- Ensure the Ant configtest target still works.
- Ensure batch programs still work.
- If applicable, ensure the Ant configure target still works.
Related topics: