Specifications
3-28
Cisco Wide Area Application Services Command Reference
OL-21611-01
Chapter 3 CLI Commands
cms secure-store
When you enable secure store on Central Manager, the data is encrypted using a key encryption key
generated from the pass phrase you enter with SHA-1 hashing and an AES 256-bit algorithm. When you
enable secure store on a WAE device, the data is encrypted using a 256-bit key encryption key generated
by SecureRandom, a cryptographically strong pseudorandom number. You must enter a password to
enable secure store. The password must conform to the following rules:
• Be 8 to 64 characters in length
• Contain characters only from the allowed set ([A-Za-z0-9~%'!#$^&*()|;:,\"<>/]*)
• Contain at least one digit
• Contain at least one lowercase and one uppercase letter
When you first initialize secure store encryption with the cms secure-store init command, this command
also opens the secure store, so there is no need to use the cms secure-store open command. When you
reboot the Central Manager, you must manually reopen secure store using the cms secure-store open
command. Until you open the secure store, a critical alarm is displayed on the Central Manager.
When you enable secure store on a WAE, the WAE initializes and retrieves a new encryption key from
the Central Manager. The WAE uses this key to encrypt user passwords, CIFS preposition and dynamic
share credentials, and WAFS password credentials stored on the WAE. When you reboot the WAE after
enabling secure store, the WAE retrieves the key from the Central Manager automatically, allowing
normal access to the data that is stored in the WAAS persistent storage. If key retrieval fails, an alarm is
raised and secure store will be in the initialized but not open state. You must open secure store manually.
If you have made any other CLI configuration changes on a WAE within the datafeed poll rate time
interval (5 minutes by default) before you entered the cms secure-store command, you will lose those
prior configuration changes and you will need to redo them.
Use the cms secure-store reset command if you reload the Central Manager and forget the secure store
password, so you cannot open the secure store. This command deletes all encrypted data, certificate and
key files, and key manager keys. The secure store is left in the uninitialized state. For the complete
procedure for resetting the secure store, see the “Resetting Secure Store Encryption on a Central
Manager” section on page 9-15 in the Cisco Wide Area Application Services Configuration Guide.
Examples The following example shows how to initialize and activate secure store encryption on the WAAS
Central Manager:
waas-cm# cms secure-store init
Stopping cms.
*******************************************************************
* 1) Must be between 8 to 64 characters in length *
* 2) Allowed character set is ([A-Za-z0-9~%'!#$^&*()|;:,"<>/]*) *
* 3) Must contain at least one digit *
* 4) Must contain at least one lowercase and one uppercase letter *
*******************************************************************
enter pass-phrase:
confirm pass-phrase:
Successfully migrated user passwords
Successfully migrated Cifs preposition password
Successfully migrated Cifs dynamic shares password
Successfully migrated key store
***** WARNING : REBOOTING CM REQUIRES RE-OPENING SECURE STORE MANUALLY. AFTER REBOOT, DISK
ENCRYPTION AND CIFS PREPOSITION FEATURES ON REMOTE WAE(S) WILL NOT OPERATE
PROPERLY UNTIL USER RE-OPENS SECURE STORE ON CM BY INPUTTING THE PASSPHRASE *****
successfully initialized and opened secure-store.
Starting cms.