DBUtil

During CA Risk Authentication installation, the installer collects the information to connect to the CA Risk Authentication database. After the installation is completed, this information is stored in an encrypted format in a file named securestore.enc. This file stores the following encrypted information for connecting to the CA Risk Authentication database:
aa821test
During CA Risk Authentication installation, the installer collects the information to connect to the CA Risk Authentication database. After the installation is completed, this information is stored in an encrypted format in a file named securestore.enc. This file stores the following encrypted information for connecting to the CA Risk Authentication database:
  • Database user name and password (Used by CA Risk Authentication Server to connect to the database.)
  • Master key (Used for encrypting the database user name and password that is stored in securestore.enc.)
CA Risk Authentication supports both software and hardware modes to protect the data. The DBUtil tool can be used to perform database operations for both the modes.
To add a new database user name, password, or DSN, or to change the master key value any time 
after
 installation, use the DBUtil tool.
DBUtil Options
The following table lists the options for dbutil. In this table, 
key-value
 pair refers to either DSN, password, or database username/password pair. The CA Risk Authentication Server uses the DSN/password. The user name/password is used by 
Advanced Authentication
 and User Data Service.
 
Option
Description
-h
Displays the Help for the tool.
Syntax:
dbutil -h
-init
Creates a securestore.enc with the new master key that you specify, as discussed in "Updating the Master Key".
Syntax:
dbutil -init key
 
For example:
dbutil -init MasterKeyNew
dbutil -init RiskFortDatabaseMKNew
 
Important!
This command succeeds only if there is no securestore.enc in the conf directory.
-pi
Inserts an extra key-value pair into securestore.enc.
Syntax:
dbutil -pi <key> <value> [-h HSMPin [-d HSMModule]]
 
-h HSMPin
is required if
securestore.enc
is protected by HSM cryptography.
-d HSMModule
is optional when
-h
is present. It defaults to "nfast"
(NCipher).
For example:
dbutil -pi RiskFortBackupDSN dbapassword
dbutil -pi Jack userpassword
dbutil -pi Jack userpassword -h hsmpassword -d chrysalis
 
Important!
Each key can have only one value. If you have already inserted a key-value pair, then you cannot insert another value for the same key.
-pu
Updates the value for an existing key-value pair in securestore.enc. Use this option to update the database password.
Syntax:
dbutil -pu <key> <value> [-h HSMPin [-d HSMModule]]
 
For example:
dbutil -pu RiskFortDatabaseDSN newPassword
dbutil -pu Jack userPassword
dbutil -pu Jack userpassword -h hsmpassword -d chrysalis
-pd
Deletes the specified key-value pair from securestore.enc
Syntax:
dbutil -pd <key> [-h HSMPin [-d HSMModule]]
For example:
dbutil -pd RiskFortDatabaseDSNOld
dbutil -pd Jack
-i
Inserts the specified primary name-value pair in securestore.enc, if hardware-based encryption is used to secure the data in this file. This option is used during server startup to provide HSM initialization information.
Syntax:
dbutil -i <primeKey> <HSMPin>
where
primeKey
is the name of the HSM module.
 
For example:
dbutil -i chrysalis hsmpassword
-u
Updates the specified primary name-value pair in securestore.enc, if hardware-based encryption is used to secure the data in this file
Syntax:
dbutil -u <primeKey> <HSMPin>
where
primeKey
is the name of the HSM module.
For example:
dbutil -u chrysalis newhsmpassword
-d
Deletes the specified primary name-value pair from securestore.enc, if hardware-based encryption is used to secure the data in this file
Syntax:
dbutil -d <primeKey>
where
primeKey
is the name of the HSM module.
For example:
dbutil -d chrysalis
Updating the Master Key
Because the master key is used for encrypting sensitive information, DBUtil
does not
provide an option to view its value.
Specified during the installation, the 
master key
 is used to encrypt the values in the securestore.enc file. The master key encrypts all encryption keys that the product uses. These keys are stored in the CA Risk Authentication database.
To change the master key value in securestore.enc, then:
  1. Back up the current securestore.enc file.
    The current securestore.enc is available at:
    • On Windows
      <
      install_location
      >\Arcot Systems\conf
    • On UNIX-based Platforms
      <
      install_location
      >/arcot/conf
  2. Delete the securestore.enc in ARCOT_HOME\conf.
  3. Navigate to the following location where DBUtil is available:
    • On Windows
      <
      install_location
      >\Arcot Systems\tools\win
    • On UNIX-based Platforms
      <
      install_location
      >/arcot/tools/<
      platform_name
      >
  4. Run the following command:
    (For software mode) dbutil -init <
    master_key_name
    >
    (For hardware mode) dbutil -init <
    HSM_Key_Label
    >
    The tool re-creates securestore.enc with the master key name that you specify.
    If the master key setup fails, contact CA Support for help.
  5. Update the database information in the securestore.enc file.
    The CA Risk Authentication installer automatically configures the database username/password and database DSN/password information in securestore.enc. However, after creating a securestore.enc file, manually insert this information in the new file. Use the dbutil -pi option to do so.
    To insert the supplied database values in securestore.enc, use the following commands:
    • (For software mode) dbutil -pi <
      dbUser>
       <
      dbPassword>
    • (For hardware mode) dbutil -pi 
      <dbUser> <dbPassword> [
      -h
       HSMPin [
      -d
       HSMModule]]
      In the preceding commands, dbUser is the database user name and dbPassword is the password for that user. For example:
      dbutil -pi arcotuser welcome123
    The user name that you specify in this command is case-sensitive.
    The DSN name that you specify in this command is case-sensitive.
  6. If you have performed distributed deployment of CA Risk Authentication, copy the new securestore.enc file to all component systems.