Using Passwords in External Reference
In the Database profile and for several different agents, you can use passwords from External Reference profiles.
The password values must be represented by a string that has been encrypted with the mzsh encryptpassword
 command.
When using the mzsh encryptpassword
 command you can use keys that have been generated using the Java standard tool keytool
. The keys to be used are determined using aliases, and if no alias is used, the default key is used for the encryption. See the JDK product documentation for further information about using keytool
 in different scenarios.
Note!
You have to use the storetype JCEKS.
If aliases are to be used, the full path and password to the keystore has to be indicated by including the Platform properties mz.cryptoservice.keystore.path
 and mz.cryptoservice.keystore.password
 in the Platform instance. See System Properties in the System Administration Guide for further information about these properties. The keystore must also contain keys for all the aliases you want to use.
Note!
The same keytool can be used for generating keys for RCP encryption. However, these keys are of a different type and cannot be used for External References.
Example - Encrypting passwords with crypto service keystore keys
This is an example of how passwords can be encrypted with crypto service keystore keys:
Create a security key with the keytool:
keytool -genseckey -alias myAlias -keyalg AES -keystore myKeystore.jks -keysize 128 -storepass myKeystorePassword -storetype JCEKS.
Note!
If you enter aÂ
-keysize
 that is larger than 128, you may get a message saying that JCE Unlimited Strength Jurisdiction Policy Files needs to be installed. See the Oracle product documentation for further information about this.TheÂ
-storepass
 flag is optional. If you do not enter aÂ-storepass
 you will be prompted for a password.-storetype
 JCEKS is mandatory.You will be prompted if you want to use the same password for the key as for the keystore and the system requires that the same password is used.
Place the keystore in a suitable directory.
ÂEncrypt the password to the keystore using theÂ
mzsh encryptpassword
 command with the default key:mzsh mzadmin/<password> encryptpassword myKeystorePassword
The encrypted password is returned.
ÂSet the Platform properties
mz.cryptoservice.keystore.path
andmz.cryptoservice.keystore.password
:$ mzsh topo set topo://container:<platform container>/pico:platform/obj:config.properties '{ mz.cryptoservice.keystore.path="<suitable directory>/myKeystore.jks" mz.cryptoservice.keystore.password="<the encrypted password>" }'
_
Encrypt the passwords with aliases that you want to use in your external references:
mzsh mzadmin/<password> encryptpassword -a myAlias <passwordToEncrypt>
Use the returned password string as a value in your External Reference source, i e file or environment variable.