Using KPA to make keys available to the NAM Probe process

To make keys available to the NAM Probe at run time, the administrator has to arrange for the keys to be decrypted, if they are stored in an encrypted form, then to be loaded into shared memory.

Decryption requires a password – one per encrypted key file – and is accomplished using the kpadmin utility. The procedure is the same for all the types of encrypted keys used by the NAM Probe, such as OpenSSL or Kerberos for SAP.

The kpadmin utility is a binary file accessible through the path /usr/adlex/rtm/bin/kpadmin . It accepts no command line options and is executed as:

kpadmin

Alternatively, to execute kpadmin, log in as the root user. The kpadmin utility reads the keys from the disk according to the contents of the file named in server.key.list, prompts the administrator for a password to decrypt each file and then stores them in the NAM Probe RAM memory, visible to the kpa daemon. After successfully decrypting all keys and saving them in the NAM Probe RAM memory, kpadmin restarts the NAM Probe process, which then obtains new key information via the kpa daemon. The decrypted keys are stored in the NAM Probe RAM only. They are not written on the disk at any time. This increases the security of the system but means that after a reboot of the NAM Probe, they have to be re-loaded to memory.

Note

The keylist file is shared by all analyzers requiring key storage. Therefore when executing the kpadmin command, you will be prompted for passwords for all of the listed keys, for example for OpenSSL keys. If a particular key is not stored in an encrypted form and does not require a password, it is sufficient to press [ENTER] in response to the password request.