If you look at the usage from the IDI encryption utility (cryptoutils.sh), you'll see this:
[root@jazzsm9 serverapi]# ./cryptoutils.sh
CTGDKD446I Usage:
-input <input file>
-output <output file>
-mode <encrypt|decrypt|encrypt_config|decrypt_config>
-keystore <keystore file>
-storepass <keystore password>
-alias <encryption key alias>
[ -keypass <key password> ]
[ -transformation <encryption transformation> ]
[ -storetype <keystore type> ]
[ -cryptoproviderclass <security provider used for encryption> ]
Unfortunately, none of those "-mode" options will let you decrypt values in any of the *.properties files (e.g. global.properties, solution.propterties, etc.) So how do you do it?
To get the answer, you need to find the online documentation here to find that there are two additional options that aren't listed above. They are:
encrypt_props
decrypt_props
Once you know that, you're over the largest obstacle. But now you have several additional flags with values to provide, and the documentation doesn't give you an example of doing exactly this. So here's the example:
/opt/IBM/TDI/cev10/serverapi/cryptoutils.sh \
-input /opt/IBM/TDI/ftsoldir/solution.properties \
-output /tmp/foo \
-mode decrypt_props \
-keystore /opt/IBM/TDI/ftsoldir/testserver.jks \
-storepass server \
-alias server
In the above case, I wanted to decrypt the encrypted values in my solution.properties file. My solution directory is /opt/IBM/TDI/ftsoldir. Notice also that you MUST provide the certificate alias that points to the server certificate in the solution directory. By DEFAULT (meaning: all of this can be changed), the alias of that certificate is "server", it is stored in the $SOLDIR/testserver.jks keystore, and the password of the keystore is "server". The name of the keystore and the alias are specified in these two properties in solution.properties:
com.ibm.di.server.encryption.keystore = testserver.jks
com.ibm.di.server.encryption.key.alias = server
If, however, you forget the password, that's not a good thing. Normally you can decrypt an IBM stash file with a perl script like this:
#!/usr/bin/perl
use strict;
die "Usage: $0 <stash file>n" if $#ARGV != 0;
my $file=$ARGV[0];
open(F,$file) || die "Can't open $file: $!";
my $stash;
read F,$stash,1024;
my @unstash=map { $_^0xf5 } unpack("C*",$stash);
foreach my $c (@unstash) {
last if $c eq 0;
printf "%c",$c;
}
printf " ";
However, that doesn't work on the IDI stash file (idisrv.sth) because this isn't a GSKit stash file. From the docs:
The stash file contains the Server keystore password values encrypted with AES128 with a fixed key.
Check back later to find out later how to read this stash file - I think I've figured out how to decrypt it.
I did figure it out, and here's the video.
And NOTE: This only matters if you want to CHANGE the password of the keystore and keep the keystore. If all you need to do is add a server certificate to the keystore for a new web connection, you can simply use the "Get Certificate" button in the HTTP Server Connector to get the server's certificate and add it to the keystore.