XCOM for LUW (Linux, Unix, Windows) SSL configuration file configssl.cnf has a [PASSWORD] section for specifying the password/pass phrase of an encrypted private key (local certificates effectively means private key files as public certificates cannot be encrypted) i.e.

# Mandatory if local certificates were created with passwords.  If local
# certificates were not created with passwords, the value will be ignored.
# PASSWORD has to match the password used when generating the certificates.
[PASSWORD]
INITIATE_SIDE = password
RECEIVE_SIDE  = password

Can that PASSWORD field be in an encrypted form instead of being displayed in plain text.?

XCOM™ Data Transport® for UNIX/Linux 
XCOM™ Data Transport® for Windows

The utility xcomossl (Linux/Unix) or xcomossl.exe (Windows) can be used to encrypt the PASSWORD field.

Currently only the XCOM for AS/400 documentation covers the xcomossl utility (XCOM™ Data Transport® for AS/400 11.0 > Administrating > Generating TLS/SSL Certificates > Encryption Using XCOMOSSL).
The LUW documentation will be updated soon.

NOTES:

1. The private keys created by XCOM sample scripts in the "%XCOM_HOME%"\Ssl\private directory are as follows:
    - The casslkey.pem is encrypted (in editor it shows "-----BEGIN ENCRYPTED PRIVATE KEY-----" at top).
    - The clientkey.pem and serverkey.pem are not encrypted (in editor both show "-----BEGIN PRIVATE KEY-----" at top)
   
   
2. The encryption is confirmed using a command prompt. Change to directory "%XCOM_HOME%"\Ssl\private and run this command on each file:
   openssl rsa -in file_name.pem -text -noout
   Using casslkey.pem the command prompts with "Enter pass phrase for casslkey.pem" but the other 2 files do not.
   
   
3. Only the clientkey.pem and serverkey.pem files are used in configssl.cnf.

Support tested on XCOM for Windows as follows:

1. Clear out existing temporary files and certs/private directories from the Ssl directory.
   
   
2. Edit the clientssl.conf and serverssl.conf files and change encrypt_key from no to yes.
   
   
3. Start a command prompt with "Run as administrator" and change directory to "%XCOM_HOME%"\Ssl. From the command prompt:
   
   
   1. Run makeca.bat
      
      
   2. Run makeclient.bat and it prompts for 'Enter PEM pass phrase'. Use for example: client_password
      
      
   3. Run makeserver.bat and it prompts for 'Enter PEM pass phrase'. Use for example: server_mypassword 
      
      
4. Confirm that files private\clientkey.pem and private\serverkey.pem are now encrypted using the checks from above NOTES.
   
   
5. Using default configssl.cnf with [PASSWORD] section having values of password a secure loopback transfer fails as expected with error:
       XCOMN0780E Txpi  308: TxpiInitSSL Failed msg = <error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt> value = 0:
   
   
6. After changing the [PASSWORD] section values to client_password and server_password per below, the transfer is successful:
   ****
   [PASSWORD]
   INITIATE_SIDE = client_password
   RECEIVE_SIDE  = server_password
   *****
7. To use xcomossl.exe edit the configssl.cnf to add the '#!ENCRYPT' lines.
   NOTE: Also remove any spaces on the INITIATE_SIDE & RECEIVE_SIDE lines as this may cause xcomssl.exe to add unexpected spaces in the ".ENCRYPTED" versions of those parameter names which then fail to get parsed correctly during a secure transfer:
   *****
   [PASSWORD]
   #!ENCRYPT
   INITIATE_SIDE=client_password
   #!ENCRYPT
   RECEIVE_SIDE=server_password
   *****
   
   
8. Start a command prompt with "Run as administrator" and change directory to "%XCOM_HOME%"\config.
   Run xcomossl.exe on file configssl.cnf to create a new version configssl2.cnf using this command: "%XCOM_HOME%"\xcomossl.exe configssl.cnf configssl2.cnf
   
   
9. The created configssl2.cnf file shows:
   *****
   [PASSWORD]
   #!ENCRYPT
   INITIATE_SIDE.ENCRYPTED=4c 53 4a 6c b2 c8 b9 c5 b4 cd 89 ca 92 d8 ce f8 b6 bf a5 3e 13 18 2d 4e 32 27 1d 43 1e 1a 0f 4f 2e 39 1e 3f 23 25 11 31 2f 35 30 40 1f 2a 1c 33 11 36 2c 52 20 26 21 3e 13 18 2d 4e 32 27 1d 43 1e 1a 0f 4f 2e 39 1e 3f 23 25 11 31 2f 35 30 40 1f 2a 1c 33 11 36 2c 52 20 26 21 3e 13 18 2d 4e 32 27 1d 43 1e 1a 0f 4f 00 
   #!ENCRYPT
   RECEIVE_SIDE.ENCRYPTED=4c 53 4a 6c d1 ba c9 e5 a4 c3 89 ca 92 d8 ce f8 b6 bf a5 3e 13 18 2d 4e 32 27 1d 43 1e 1a 0f 4f 2e 39 1e 3f 23 25 11 31 2f 35 30 40 1f 2a 1c 33 11 36 2c 52 20 26 21 3e 13 18 2d 4e 32 27 1d 43 1e 1a 0f 4f 2e 39 1e 3f 23 25 11 31 2f 35 30 40 1f 2a 1c 33 11 36 2c 52 20 26 21 3e 13 18 2d 4e 32 27 1d 43 1e 1a 0f 4f 00 
   *****
   
   
10. Replace configssl.cnf with configssl2.cnf and the resulting transfer is also successful thus verifying the PASSWORD field decryption.