Encryption

Encryption

Universal Agent programs have the ability to read command line options contained in command files. Command files that contain private information must be protected by using local file system security. This ensures that only authorized accounts have read access.

The Universal Encrypt (UENCRYPT) utility adds an additional layer of security by encrypting the contents of command files into an unintelligible format.

Although all command line options can be encrypted with Universal Encrypt, most organizations use it to encrypt and store authentication credentials such as user ID and/or password.

An encrypted command file can be decrypted only by Stonebranch product programs. No decrypt command is provided to decrypt the command file.

Note

Universal Encrypt should not be used as a replacement for file system security.

Encrypting Files

Files do not have to be encrypted on the same platform or server on which they will be used. They can be encrypted on any platform or server and then transferred. This means that applications development, platform administrators, and security administrators can encrypt passwords in their own environments.

Universal Encrypt encrypts files with either:

  • 56-bit DES
  • 256-bit AES

Universal Encrypt reads an unencrypted file from its standard input and writes the encrypted version to its standard output.

Encrypted files are text files and contain comments that can be edited if required. Lines within the encrypted file that start with the # character are comments. Default comments are created with the following information:

  • Date of encryption.
  • Userid that encrypted the file.
  • System on which the file was encrypted.
  • Version of Universal Encrypt used.
  • Level of encryption used.

Transferring Encrypted Files between Servers

Files encrypted via Universal Encrypt are text files.

You can transfer them between servers, using FTP or similar tools, in text mode. You also can email them between like systems (for example, Windows to Windows).

Security Considerations

For production implementations, thought should be given to the location and security of encrypted files containing passwords. Consider who needs access to create, update, and use these files.

Many implementations are centralized around an enterprise scheduling solution. In this case, the encrypted files are often secured in such a way that only the enterprise scheduler is able to access them.

There are additional layers of security available to Universal Agent, such as Universal Access Control List and X.509 Certificates. These can be further used to ensure that access to servers is properly controlled.

Universal Broker Key Store

During installation, you can request the generation of an encryption key, which is stored in a Universal Broker key store.

If a Universal Agent component wants to use this encryption key, it requests it from the Universal Broker.

For detailed information on encryption keys and the key store, see Universal Broker Key Store.

Additional Information

The following pages provide additional detailed information for Encryption: