Managing Security of Passwords

For more information on using certutil, pk12util, and other NSS security tools, see NSS Security Tools at http://www.mozilla.org/projects/security/pki/nss/tools.

Managing Security of Passwords

In the Enterprise Server, the filedomain.xml, which contains the specifications for a particular domain, initially contains the password of the Message Queue broker in clear text. The element in the domain.xml file that contains this password is theadmin-password attribute of the jms-host element. Because this password is not changeable at installation time, it is not a significant security impact.

However, use the Admin Console to add users and resources and assign passwords to these users and resources. Some of these passwords are written to the domain.xml file in clear text, for example, passwords for accessing a database. Having these passwords in clear text in the domain.xml file can present a security hazard. You can encrypt any password indomain.xml, including the admin-password attribute or a database password. Instructions for managing the security passwords is included in the following topics:

“Encrypting a Password in the domain.xml File” on page 99

“Protecting Files with Encoded Passwords” on page 100

“Changing the Master Password” on page 100

“Working with the Master Password and Keystores” on page 101

“Changing the Admin Password” on page 101

Encrypting a Password in the domain.xml File

To encrypt a password in the domain.xml file. Follow these steps:

1.From the directory where the domain.xml file resides (domain-dir/config by default), run the following asadmin command:

asadmin create-password-alias --user admin alias-name

For example,

asadmin create-password-alias --user admin jms-password

A password prompt appears (admin in this case). Refer to the man pages for the create-password-alias, list-password-aliases, delete-password-alias commands for more information.

2.Remove and replace the password in domain.xml. This is accomplished using the asadmin set command. An example of using the set command for this purpose is as follows:

asadmin set --user admin server.jms-service.jms-host. default_JMS_host.admin-password=’${ALIAS=jms-password}’

Chapter 9 • Configuring Security

99

Page 99
Image 99
Sun Microsystems 820433510 manual Managing Security of Passwords, Encrypting a Password in the domain.xml File