We are on 14x and found this article, https://knowledge.broadcom.com/external/article?articleId=16162.

The problem is that ours uses AES encryption not PBES.  We tried using the PBES and it did not work.  Ours looks like the following.  How do we get this working?

<security-domain name="iam_im-imobjectstoredb">
                    <authentication>
                        <login-module code="com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin" flag="required" module="com.ca.iam.idmutils">
                            <module-option name="userName" value="YYY"/>
                            <module-option name="password" value="{AES}:XXX
                            <module-option name="managedConnectionFactoryName" value="jboss.jca:name=iam/im/jdbc/jdbc/objectstore,service=NoTxCM"/>
                        </login-module>
                    </authentication>
                </security-domain>

The PasswordTool does not have an option for encrypting into AES format. It includes libraries for encrypting only PBES, RC2, and CANIMSM. Your organization should have or should obtain the appropriate encryption libraries required for AES. For example, there is a utility named something like Crypt AES that you can Google and download.