Command Line Tools Guide
Red Hat Certificate System                                                            
Previous
 Contents
 Index
 Next

Chapter 3

Password Cache Utility

During the installation of Red Hat Certificate System (CS), the installation daemon stores all the passwords required by the server for starting up-such as the bind passwords used by Certificate System to access and update the internal LDAP database and the LDAP directory used for authentication or publishing-in a password cache. The cache is maintained in a file encrypted using a symmetric key generated by the cryptographic module wherein the key resides, and encrypted by the single sign-on password (internal cryptographic module password) you specify during installation.

The command-line utility named PasswordCache enables you to manipulate the contents of the password cache. You will be required to manipulate the password cache for various reasons. For example, assume you've configured the Certificate Manager to publish certificates and CRLs to an LDAP directory and have configured it to bind to the directory with Directory Manager's DN and password. If the directory administrator changes the Directory Manager's password, the Certificate Manager will fail to bind to the directory during startup. You can resolve this problem by modifying the corresponding bind password in the cache using the PasswordCache utility.

This chapter has the following sections:

Location

The PasswordCache utility is located with the rest of the command-line tools in this directory: <server_root>/bin/cert/tools

Syntax

To run the utility, execute the following command from the <server_root>/cert-<instance_id>/config directory (must be run from this directory unless the "-c" option is used):

PasswordCache <sso_password> -d <certificate/key db directory> [-h <token name>]
-P <certificate/key db prefix> [-c <pwcache db directory>] [-k <file containing base-64 encoded key ID>] <command>

<sso_password> specifies the current single sign-on password.
<certificate/key db directory> specifies the path to the certificate database (cert8.db) and key database (key3.db) files. The default path is <server_root>/alias.
<certificate/key db prefix> specifies the prefix for the certificate database (cert8.db) and key database (key3.db) files. The default prefix is in the cert-<instance_id>-<hostname>- format.
<token name> refers to the label given to the attached hardware token (only relevent when the keys resident on a hardware token). The user may be prompted to enter the hardware token's password for access to the hardware token.
<pwcache db directory> specifies the path to the pwcache.db file. The default path is the present directory.
<file containing base-64 encoded key ID> specifies the file containing the ID to the protection key generated from a previous "rekey" command.
<command> can be any of the following:
list lists the contents of the password cache.
rekey generates a protection key and presents the base-64 encoded key ID on the screen. The administrator should store the blob to a local file (e.g., keyID.txt) and replace the value of the "pwcKeyid" in the CS.cfg file.
add <password_name> <password>
change <password_name> <password>
delete <password_name>
<password_name> specifies the string (describing the password usage) you want to add to, or modify or delete from the cache; it is equivalent to the value assigned to the bindPWPrompt or tokenname parameter in the CS configuration file. It is essential that the <password_name> coincide with the names known by Certificate System: for example, the internal cryptographic module is known as internal, the internal LDAP bind password is known as Internal LDAP Database, and the LDAP publishing bind password for the Certificate Manager is known as CA LDAP Publishing.
<password> specifies the new password.

Usage

You can use the PasswordCache utility for the following:

The sections that follow explain how you can accomplish the above mentioned tasks.

Note

The server queries the password cache only during start up, and hence recognizes the changes you've made to the cache only if you restart the server from the command line. If you left any of the passwords blank, the server will prompt you to enter that during startup and from then on stores it in the password cache.


Listing the Contents of the Password Cache

To list or view the contents of the password cache:

  1. Open a command window.
  2. Go to this directory: <server_root>/cert-<instance_id>/config
  3. At the prompt, enter the command below, substituting the variables with appropriate values:
PasswordCache <sso_password> -d <certificate/key db directory> -P <certificate/key db prefix> list
For example, assume your single sign-on password is mySsoPwd, the CS instance name is demoCA, and the host name is CShost. The command would look like this:
PasswordCache mySsoPwd -d /opt/redhat-cs/alias
-P cert-demoCA-CShost- list

Generating a new Protection Key for the Password Cache

To generate a new protection key for the password cache:

  1. Execute the following command:
<70_server_root>/bin/cert/tools/PasswordCache <password> -d <alias directory> -P <prefix> -c <file> rekey
For example:
<70_server_root>/bin/cert/tools/PasswordCache <password> -d <70_server_root>/alias -P cert-<instance>-<hostname>- -c pwcache.db rekey
The following will be output to the screen when the command is run:
cert/key prefix = cert-<instance>-<hostname>-
cert/key db path = <70_server_root>/alias
password cache file = pwcache.db
token name = internal
generating new key...
PWsdrCache: mToken = internal
PWsdrCache: SDR key generated
key generated successfully with key id = OPHHNSQTY0RUGFJbcaco1g==
Save the VALUE portion of this key id in a local file,
and under variable "pwcKeyid" in CS.cfg!!
If you have not already done so,
remove the old pwcache.db and use this local file to add passwords.
  1. Save the value portion of the key id into a local file such as key.txt
  2. Save the value portion of the key id into the CS.cfg file under the variable "pwcKeyid"

Adding a New Entry to the Password Cache

To add a new entry to the cache:

  1. Open a command window.
  2. Go to this directory: <server_root>/cert-<instance_id>/config
  3. At the prompt, enter the command below, substituting the variables with appropriate values:
PasswordCache <sso_password> -d <certificate/key db directory>
-P <certificate/key db prefix> -k keyID.txt add <password_name> <password>
For example, assume your single sign-on password is mySsoPwd, the CS instance name is demoCA, the host name is CShost, the string describing the password usage is Bind Password for LDAP Publishing Directory, and the password is myLdapPubPwd. The command would look like this:
PasswordCache mySsoPwd -d /opt/redhat-cs/alias
-P cert-demoCA-CShost- -k keyID.txt add "CA LDAP Publishing" myLdapPubPwd
If the password name string includes spaces, be sure to enclose the string in double quotes as indicated in the above example.

Changing the Password of an Entry in the Password Cache

To change the password associated with an entry in the password cache:

  1. Open a command window.
  2. Go to this directory: <server_root>/cert-<instance_id>/config
  3. At the prompt, enter the command below, substituting the variables with appropriate values:
PasswordCache <sso_password> -d <certificate/key db directory>
-P <certificate/key db prefix> -k keyID.txt change <password_name> <password>
For example, assume your single sign-on password is mySsoPwd, the CS instance name is demoCA, the host name is CShost, the string describing the password usage is Bind Password for LDAP Publishing Directory, and the new password is myNewLdapPubPwd. The command would look like this:
PasswordCache mySsoPwd -d /opt/redhat-cs/alias
-P cert-demoCA-CShost- -k keyID.txt change "CA LDAP Publishing" myNewLdapPubPwd
If the password name string includes spaces, be sure to enclose the string in double quotes as indicated in the above example.

Deleting an Entry From the Password Cache

To delete an entry from the cache:

  1. Open a command window.
  2. Go to this directory: <server_root>/cert-<instance_id>/config
  3. At the prompt, enter the command below, substituting the variables with appropriate values:
PasswordCache <sso_password> -d <certificate/key db directory>
-P <certificate/key db prefix> delete <password_name>
For example, assume your single sign-on password is mySsoPwd, the CS instance name is demoCA, the host name is CShost, the string describing the password usage is Bind Password for LDAP Publishing Directory. The command would look like this:
PasswordCache mySsoPwd -d /opt/redhat-cs/alias
-P cert-demoCA-CShost- delete "CA LDAP Publishing"
If the password name string includes spaces, be sure to enclose the string in double quotes as indicated in the above example.



Previous
 Contents
 Index
 Next
© 2001 Sun Microsystems, Inc. Used by permission. © 2005 Red Hat, Inc. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments.

 last updated July 18, 2005