Netscape Certificate Management System Command-Line Tools Guide: Chapter 3Password Cache Utility

Command-Line Tools Guide
Netscape Certificate Management System

Chapter 3 Password Cache Utility

During the installation of Netscape Certificate Management System (CMS), the installation daemon stores all the passwords required by the server for starting up—such as the bind passwords used by Certificate Management System to access and update the internal LDAP database and the LDAP directory used for authentication or publishing—in a password cache. The cache is maintained in a file encrypted using a symmetric key generated by the cryptographic module wherein the key resides, and encrypted by the single sign-on password (internal cryptographic module password) you specify during installation.

The command-line utility named PasswordCache enables you to manipulate the contents of the password cache. You will be required to manipulate the password cache for various reasons. For example, assume you've configured the Certificate Manager to publish certificates and CRLs to an LDAP directory and have configured it to bind to the directory with Directory Manager's DN and password. If the directory administrator changes the Directory Manager's password, the Certificate Manager will fail to bind to the directory during startup. You can resolve this problem by modifying the corresponding bind password in the cache using the PasswordCache utility.

This chapter has the following sections:

"Location"

"Syntax"

"Usage"

Location

The PasswordCache utility is located with the rest of the command-line tools in this directory: <server_root>/bin/cert/tools

Syntax

To run the utility, execute the following command from the <server_root>/cert-<instance_id>/config directory (must be run from this directory unless the "-c" option is used):

PasswordCache <sso_password> -d <certificate/key db directory> [-h <token name>] -P <certificate/key db prefix> [-c <pwcache db directory>] [-k <file containing base-64 encoded key ID>] <command>

<sso_password> specifies the current single sign-on password.

<certificate/key db directory> specifies the path to the certificate database (cert8.db) and key database (key3.db) files. The default path is <server_root>/alias.

<certificate/key db prefix> specifies the prefix for the certificate database (cert8.db) and key database (key3.db) files. The default prefix is in the cert-<instance_id>-<hostname>- format.

<token name> refers to the label given to the attached hardware token (only relevent when the keys resident on a hardware token). The user may be prompted to enter the hardware token's password for access to the hardware token.

<pwcache db directory> specifies the path to the pwcache.db file. The default path is the present directory.

<file containing base-64 encoded key ID> specifies the file containing the ID to the protection key generated from a previous "rekey" command.

<command> can be any of the following:

list lists the contents of the password cache.

rekey generates a protection key and presents the base-64 encoded key ID on the screen. The administrator should store the blob to a local file (e.g., keyID.txt) and replace the value of the "pwcKeyid" in the CMS.cfg file.

add <password_name> <password>

change <password_name> <password>

delete <password_name>

<password_name> specifies the string (describing the password usage) you want to add to, or modify or delete from the cache; it is equivalent to the value assigned to the bindPWPrompt or tokenname parameter in the CMS configuration file. It is essential that the <password_name> coincide with the names known by Certificate Management System: for example, the internal cryptographic module is known as internal, the internal LDAP bind password is known as Internal LDAP Database, and the LDAP publishing bind password for the Certificate Manager is known as CA LDAP Publishing.

<password> specifies the new password.

Usage

You can use the PasswordCache utility for the following:

Listing the Contents of the Password Cache

Generating a new Protection Key for the Password Cache-

Adding a New Entry to the Password Cache

Changing the Password of an Entry in the Password Cache

Deleting an Entry From the Password Cache

The sections that follow explain how you can accomplish the above mentioned tasks.

Note

The server queries the password cache only during start up, and hence recognizes the changes you've made to the cache only if you restart the server from the command line. If you left any of the passwords blank, the server will prompt you to enter that during startup and from then on stores it in the password cache.

Listing the Contents of the Password Cache

To list or view the contents of the password cache:

Open a command window.

Go to this directory: <server_root>/cert-<instance_id>/config

At the prompt, enter the command below, substituting the variables with appropriate values:

PasswordCache <sso_password> -d <certificate/key db directory> -P <certificate/key db prefix> list

For example, assume your single sign-on password is mySsoPwd, the CMS instance name is demoCA, and the host name is cmshost. The command would look like this:

PasswordCache mySsoPwd -d /usr/netscape/servers/alias -P cert-demoCA-cmshost- list

Generating a new Protection Key for the Password Cache

To generate a new protection key for the password cache:

Execute the following command:

<70_server_root>/bin/cert/tools/PasswordCache <password> -d <alias directory> -P <prefix> -c <file> rekey

For example:

<70_server_root>/bin/cert/tools/PasswordCache <password> -d <70_server_root>/alias -P cert-<instance>-<hostname>- -c pwcache.db rekey

The following will be output to the screen when the command is run:

cert/key prefix = cert-<instance>-<hostname>-

cert/key db path = <70_server_root>/alias

password cache file = pwcache.db

token name = internal

generating new key...

PWsdrCache: mToken = internal

PWsdrCache: SDR key generated

key generated successfully with key id = OPHHNSQTY0RUGFJbcaco1g==

Save the VALUE portion of this key id in a local file,

and under variable "pwcKeyid" in CMS.cfg!!

If you have not already done so,

remove the old pwcache.db and use this local file to add passwords.

Save the value portion of the key id into a local file such as key.txt

Save the value portion of the key id into the CMS.cfg file under the variable "pwcKeyid"

Adding a New Entry to the Password Cache

To add a new entry to the cache:

Open a command window.

Go to this directory: <server_root>/cert-<instance_id>/config

At the prompt, enter the command below, substituting the variables with appropriate values:

PasswordCache <sso_password> -d <certificate/key db directory> -P <certificate/key db prefix> -k keyID.txt add <password_name> <password>

For example, assume your single sign-on password is mySsoPwd, the CMS instance name is demoCA, the host name is cmshost, the string describing the password usage is Bind Password for LDAP Publishing Directory, and the password is myLdapPubPwd. The command would look like this:

PasswordCache mySsoPwd -d /usr/netscape/servers/alias -P cert-demoCA-cmshost- -k keyID.txt add"CA LDAP Publishing" myLdapPubPwd

If the password name string includes spaces, be sure to enclose the string in double quotes as indicated in the above example.

Changing the Password of an Entry in the Password Cache

To change the password associated with an entry in the password cache:

Open a command window.

Go to this directory: <server_root>/cert-<instance_id>/config

At the prompt, enter the command below, substituting the variables with appropriate values:

PasswordCache <sso_password> -d <certificate/key db directory> -P <certificate/key db prefix> -k keyID.txt change <password_name> <password>

For example, assume your single sign-on password is mySsoPwd, the CMS instance name is demoCA, the host name is cmshost, the string describing the password usage is Bind Password for LDAP Publishing Directory, and the new password is myNewLdapPubPwd. The command would look like this:

PasswordCache mySsoPwd -d /usr/netscape/servers/alias -P cert-demoCA-cmshost- -k keyID.txt change"CA LDAP Publishing" myNewLdapPubPwd

If the password name string includes spaces, be sure to enclose the string in double quotes as indicated in the above example.

Deleting an Entry From the Password Cache

To delete an entry from the cache:

Open a command window.

Go to this directory: <server_root>/cert-<instance_id>/config

At the prompt, enter the command below, substituting the variables with appropriate values:

PasswordCache <sso_password> -d <certificate/key db directory> -P <certificate/key db prefix> delete <password_name>

For example, assume your single sign-on password is mySsoPwd, the CMS instance name is demoCA, the host name is cmshost, the string describing the password usage is Bind Password for LDAP Publishing Directory. The command would look like this:

PasswordCache mySsoPwd -d /usr/netscape/servers/alias -P cert-demoCA-cmshost- delete"CA LDAP Publishing"

If the password name string includes spaces, be sure to enclose the string in double quotes as indicated in the above example.

Last Updated November 23, 2004


Note	The server queries the password cache only during start up, and hence recognizes the changes you've made to the cache only if you restart the server from the command line. If you left any of the passwords blank, the server will prompt you to enter that during startup and from then on stores it in the password cache.