IBM Tivoli Netcool/OMNIbus Version 8.1

Defining routing hosts in the process agent configuration file

To specify the hosts that are participating in the process control system, you must define the process agent host names in the process agent configuration file.

Each host entry defines the name of the host (for example, sfosys1) and the name of the process agent to be used in the process control system (for example, SFOSYS1_PA). For each host definition, you can also specify user name and password credentials for connecting to the process agent.

Routing definition example

An example routing definition in the $NCHOME/omnibus/etc/nco_pa.conf configuration file is as follows:

nco_routing
{
host 'sfosys1' 'SFOSYS1_PA' 'username' 'password'
host 'sfosys2' 'SFOSYS2_PA' 'username' 'password'
}

Note: The username and password entries are mandatory if you are running the remote process agent in secure mode. If you are not running the remote process agent in secure mode, user names and passwords are optional.

If the process agent is using UNIX authentication (the default on UNIX), the username must be an operating system user that is a member of the ncoadmin group (default) or any other administrative group that is created for granting access to the process control system. A process agent daemon that is running in secure mode must be run by the root user.

On Windows, username must be the user name of a valid local account, domain account, or UPN account.

Note: To prevent unauthorized users from gaining access, operating system security must be set appropriately for files that contain user names and passwords.

When running the process agent daemon nco_pad, you can also specify the user name and password by using the -user and -password command-line options. This overrides any entries in the nco_pa.conf configuration file.

Encrypting plain text passwords in routing definitions

You can encrypt plain text login passwords that are stored in the nco_pa.conf file.

Password encryption details for running in FIPS 140–2 mode and non-FIPS 140–2 mode are described in the following table.

Table 1. Password encryption in FIPS 140–2 mode and non-FIPS 140–2 mode
Mode	Action
FIPS 140–2 mode	When in FIPS 140–2 mode, passwords can either be specified in plain text or in encrypted format. You can encrypt passwords by using property value encryption, as follows: If you do not yet have a key for encrypting the password, create one by running the nco_keygen utility, which is located in $NCHOME/omnibus/bin. Run the nco_aes_crypt utility to encrypt the password with the key that was generated by the nco_keygen utility. The nco_aes_crypt utility is also located in $NCHOME/omnibus/bin. Note that you must specify AES_FIPS as the algorithm to use for encrypting the password. Copy the encrypted password into the appropriate routing definition in the configuration file.
Non-FIPS 140–2 mode	In non-FIPS 140–2 mode, you can either use the nco_pa_crypt utility or use property value encryption to encrypt plain text login passwords on UNIX. On Windows, you can use the nco_g_crypt utility or use property value encryption. Perform either of the following actions: To encrypt a password by using the nco_pa_crypt or nco_g_crypt utility, run the command as follows: UNIX: `$NCHOME/omnibus/bin/nco_pa_crypt plaintext_password` Windows: `%NCHOME%\omnibus\bin\nco_g_crypt plaintext_password` In these commands, `plaintext_password` represents the unencrypted form of the password. The encryption utility displays an encrypted version of the password. Copy the encrypted password into the appropriate routing definition in the configuration file. To encrypt a password by using property value encryption, you require a key that is generated with the nco_keygen utility. You can then run nco_aes_crypt to encrypt the password with the key. Note that you can specify either AES_FIPS or AES as the algorithm for encrypting the password. Use AES only if you need to maintain compatibility with passwords that were encrypted using the tools provided in versions earlier than Tivoli Netcool/OMNIbus V7.2.1. Copy the encrypted password into the appropriate routing definition in the configuration file.

Note: On UNIX, even if the password is specified on the command line, it does not appear in ps command output.

Passwords that are encrypted using nco_pa_crypt are decrypted by the remote process control agent.

Passwords that are encrypted using nco_aes_crypt are decrypted by the process agent daemon, and are passed to remote process agents as plain text. To decrypt the passwords, you must set the -cryptalgorithm and -keyfile command-line options when running nco_pad. These options specify which algorithm and key file to use for decryption.

Library | Support |