Content Management and Capture

 View Only
  • 1.  dcskey import command never worked

    Posted Mon November 09, 2020 02:41 AM
    Hi,
    I and my colleagues have been trying to import a key from a Windows user account.
    We wanted to separate a Datacap managing user from an admin account.
    We have followed this Support instruction to import a key for each Windows user account.
    https://www.ibm.com/support/pages/requirements-importing-encryption-keys-ibm-datacap-taskmaster-capture

    In the past 3 years, we have tried several times but every time "dcskey -i" command failed.
    (OS version was Windows 2012,2016,10. Datacap version was 9.1 - 9.1.7)
    The following Support pages didn't help.

    https://www.ibm.com/support/pages/key-not-valid-use-specified-state-ibm-datacap-taskmaster-capture
    https://www.ibm.com/support/pages/key-not-valid-use-specified-state-ibm-datacap-taskmaster-capture

    The last time, we worked around by saving the credentials in plain text as explained by this Support site.
    https://www.ibm.com/support/pages/custom-code-unable-decrypt-encrypted-strings-ibm-datacap-taskmaster-capture

    I think "dcskey i" command has a product issue.
    Or is that it can only work when Datacap users are all local users and not on Active Directory?
    I'd like finally know how to use (or get it fixed) this command so we won't have to save the credential in plain text and explain to the customer the problem.
    Has anyone seen it work?

    ------------------------------
    dsakai
    ------------------------------


  • 2.  RE: dcskey import command never worked

    Posted Thu November 19, 2020 04:09 PM
    It always worked for me, across several Datacap versions and many environments. Can you please add more details? What steps are you taking for importing it? What error message do you see while importing it? Are you copying the key from your Datacap (Taskmaster) server?

    ------------------------------
    Manesh Gurav
    ------------------------------



  • 3.  RE: dcskey import command never worked

    Posted Thu November 19, 2020 08:38 PM
    Edited by dsakai Thu November 19, 2020 09:15 PM
    Thanks for your reply.
    This is how we did the last time.

    1) Prepare datacap admin user (dcadmin) and maintenance user (dcuser) on Windows Active Directory.
    2) Install and configure Datacap 9.1.7 using dcadmin on a single Windows 2016 machine.
    3) Open a command prompt and move to c:\Datacap\Taskmaster. Execute "dcskey -e".
    4) Reboot PC.
    5) Change password of dcuser. *Due to the client's policy, the password changes periodically.
    6) Login to dcuser.
    7) Open a command prompt and move to c:\Datacap\Taskmaster. Execute "dcskey -i".
    8) An error is displayed: "Keys couldn't be imported. Key not valid for use in specified state."
    9) I think we also did "dcskey -d" before trying import,
    but saw an error "Keys couldn't be deleted. Key not valid for use in specified state."

    I am guessing that "dcskey import" does not work once the other user executes "dcskey export"
    and first entry is written into dc_KTF.xml file in C:\Datacap\Taskmaster.
    This first entry can be shared among the users on the same machine,
    but once a user (different from the installation user) changes password,
    there is no way for dcskey command (either delete or import) to reflect this password change.

    The following site had what seemed to be the solution.
    https://www.ibm.com/support/pages/key-not-valid-use-specified-state-ibm-datacap-taskmaster-capture

    But I could not do this.
    I was not able to identify Taskmaster encryption keys because there were many of them.

    May be password should not change once a key is made, but this almost always goes against the client's security policy.


  • 4.  RE: dcskey import command never worked

    Posted Fri November 20, 2020 11:19 AM
    Are you doing a single-server (single-box) installation of Datacap? The Windows 2016 machine that you mentioned is your server and not a client workstation. Is that correct?

    ------------------------------
    Manesh Gurav
    ------------------------------



  • 5.  RE: dcskey import command never worked

    Posted Mon November 23, 2020 08:21 PM
    Yes.  The Windows 2016 Server is the single-server (single-box) installation of Datacap.


    ------------------------------
    dsakai
    ------------------------------



  • 6.  RE: dcskey import command never worked

    Posted Thu November 17, 2022 04:03 AM
    Edited by dsakai Fri November 18, 2022 12:30 AM
    This, "Password Change" issue, is again an unsolved issue.
    I am in the project with such environment.

    Datacap Server (9.1.9) x 2
    Rulerunner Server x 4

    The team has changed passwords of administrative users
    of the above 6 windows machines.
    These users all had Encryption key imported and configured with dcskey i,
    and Datacap environment was functioning.
    After password change, Rulerunner Servers are not able to connect to the Datacap servers.
    We are now trying to recreate Encryption key.
    But, "dcskey d" and "dcskey i" not working as I stated a few years ago.
    (That time was one-box environment.)

    If anyone has exact steps of what to do after you change passwords
    of the Windows users of the Datacap and Rulerunner servers, please share the tips.

    We tried this, but didn't work.
    https://www.ibm.com/support/pages/key-not-valid-use-specified-state-ibm-datacap-taskmaster-capture

    It seems dcskey only works the first after fresh install.
    It never works once Windows users change password.

    ------------------------------
    dsakai
    ------------------------------



  • 7.  RE: dcskey import command never worked

    Posted Sun November 27, 2022 10:04 AM
    Hi,

    1. If password of the user changes, delete the keys from AppData and import the keys again as mentioned in the link shared by you. https://www.ibm.com/support/pages/key-not-valid-use-specified-state-ibm-datacap-taskmaster-capture
    2. If you login as dcadmin and import keys, login will work for only dcadmin as keys will be imported to this user's profile. If you are running services with a different user, say dcuser, you can run the command prompt as "Run as dcuser" login and then import the keys so that keys will be imported to this user as well. If you have launched command prompt as "Run as administrator", keys will be imported to SYSTEM account and if services are running with dcuser or dcadmin, it will not be able to decrypt the connection strings.

    Thanks,
    Geetha

    ------------------------------
    Geetha Jini C
    ------------------------------



  • 8.  RE: dcskey import command never worked

    Posted Mon November 28, 2022 02:26 AM
    Edited by dsakai Thu December 01, 2022 12:36 AM
    Thank you Geetha for your reply.
    We found out the best solution for this issues is this:

    Never change password of the install user (Administrator) that exported the encryption key.

    Thus, we are going to manage the system using the users other than the install user, say dcsvc01 and remote01. Before we change the passwords of dcsvc01 and remote01 (while untouching Administrator), dcsvc01 and remote01 first need to execute "dcskey d" to remove the key from their RSA repository. Then, dcsvc01 and remote01 will change password, and after that import the same encryption key again using "dcskey i". We confirmed this way to work.

    I think the root problem is these Datacap limitations.

    1) When the install user's password changes, the existing encryption key expires.
    Datacap server no longer is able to use the encryption key to decode the password data.
    2) dcskey d command only works as long as the account's password stays the same.
    You need to execute "dcskey d" before you change the password of the account.
    3) If the install user's password changes, and regenerates and exports the new encryption key,
    the other accounts must also import this new encryption key. But after that, all password data in database and encrypted strings in .app file must be manually re-entered. This, will encode these data using the new encryption key.
    4) If the new encryption key is regenerated, admin user's password is no longer usable (cannot be decoded), so it must be reset by using Copy-Tool. Only after that, you can do step#3 which is updating the passwords after logged into TMWeb or Navigator.

    Note: We have tested test #3 and #4 and it worked. 

    I think datacap needs to expand "dcskey i" command so that it will automatically update the existing password data in database and encrypted strings in .app file using the re-generated key.










    ​​​

    ------------------------------
    dsakai
    ------------------------------