Chapter 2   Password Cache Utility


During the installation of iPlanet iPlanet Certificate Management Server (CMS), the watchdog stores all the passwords required by the server for starting up—such as passwords for the internal or external tokens, the bind password used by Certificate Management System to access and update the internal database, the bind password used by Certificate Management System to access and update the LDAP directory used for authentication or publishing—in a password cache. The cache is maintained in a file encrypted using the single sign-on password you specify during installation.

The command-line utility named PasswordCache enables you to manipulate the contents of the password cache. You will be required to manipulate the password cache for various reasons. For example, assume you've configured the Certificate Manager to publish certificates and CRLs to an LDAP directory and have configured it to bind to the directory with Directory Manager's DN and password. If the directory administrator changes the Directory Manager's password, the Certificate Manager will fail to bind to the directory during startup. You can resolve this problem by modifying the corresponding bind password in the cache using the PasswordCache utility.

This chapter has the following sections:

• Location

• Syntax

• Usage

Location

---

The PasswordCache utility is located with the rest of the command-line tools in this directory: <server_root>/bin/cert/tools

Syntax

---

You can run the utility by executing the following command from the <server_root>/cert-<instance_id> directory:

PasswordCache <sso_password> <command>

where <sso_password> specifies the current single sign-on password and <command> can be any of the following:

• list

• add <password_name> <password>

• change <password_name> <password>

• delete <password_name>

• changesso <new_sso_password>

• create

  <password_name> specifies the string (describing the password usage) you want to add to, or modify or delete from the cache; it is equivalent to the value assigned to the bindPWPrompt or tokenname parameter in the CMS configuration file.

  <password> specifies the new password.

  <new_sso_password> specifies the new single sign-on password.

  
  

  ---

  Note	You must run the PasswordCache utility from the <server_root>/cert-<instance_id> directory.

  ---

  
  

Usage

---

You can use the PasswordCache utility for the following:

• Changing the Single Sign-On PasswordChanging the single sign-on password

• Listing the Contents of the Password Cache

• Adding a New Entry to the Password Cache

• Changing the Password of an Entry in the Password Cache

• Deleting an Entry From the Password Cache

Changing the Single Sign-On Password

To change the single sign-on password:

1. Open a command window.

2. Go to this directory: <server_root>/cert-<instance_id>

3. At the prompt, enter the command below, substituting <sso_password> with the single sign-on password and <new_sso_password> with the new single sign-on password.

   PasswordCache <sso_password> changesso <new_sso_password>

   For example, if your old password is mySsoPwd and new password is myNewSsoPwd, the command would look like this:

   PasswordCache mySsoPwd changesso myNewSsoPwd

Listing the Contents of the Password Cache

To list or view the contents of the password cache:

1. Open a command window.

2. Go to this directory: <server_root>/cert-<instance_id>

3. At the prompt, enter the command below, substituting <sso_password> with the single sign-on password:

   PasswordCache <sso_password> list

   For example, if your single sign-on password is mySsoPwd, the command would look like this:

   PasswordCache mySsoPwd list

   In response, you should see something similar to this:

   ----- Password Cache -----

   Internal LDAP Database : myIdbPwd
   Internal Key Storage Token : myTokenPwd
   LDAP Publishing: myLdapPubPwd

Adding a New Entry to the Password Cache

To add a new entry to the cache:

1. Open a command window.

2. Go to this directory: <server_root>/cert-<instance_id>

3. At the prompt, enter the command below, substituting <sso_password> with the single sign-on password, <password_name> with a string describing the password usage, and <password> with the actual password:

   PasswordCache <sso_password> add <password_name> <password>

   For example, if your single sign-on password is mySsoPwd, the string describing the password usage is Bind Password for LDAP Publishing Directory, and password is myLdapPubPwd, the command would look like this:

   PasswordCache mySsoPwd add "Bind Password for LDAP Publishing
   Directory" myLdapPubPwd

   If the password name string includes spaces, be sure to enclose the string in double quotes as indicated in the above example.

Changing the Password of an Entry in the Password Cache

To change the password associated with an entry in the password cache:

1. Open a command window.

2. Go to this directory: <server_root>/cert-<instance_id>

3. At the prompt, enter the command below, substituting <sso_password> with the single sign-on password, <password_name> with the string that describes the password usage, and <password> with the new password:

   PasswordCache <sso_password> change <password_name> <password>

   For example, if your single sign-on password is mySsoPwd, the string describing the password usage is Bind Password for LDAP Publishing Directory, and the new password is myNewLdapPubPwd, the command would look like this:

   PasswordCache mySsoPwd change "Bind Password for LDAP Publishing
   Directory" myNewLdapPubPwd

   If the password name string includes spaces, be sure to enclose the string in double quotes as indicated in the above example.

Deleting an Entry From the Password Cache

To delete an entry from the cache:

1. Open a command window.

2. Go to this directory: <server_root>/cert-<instance_id>

3. At the prompt, enter the command below, substituting <sso_password> with the single sign-on password and <password_name> with the string that describes the password usage:

   PasswordCache <sso_password> delete <password_name>

   For example, if your single sign-on password is mySsoPwd and the string describing the password usage is Bind Password for LDAP Publishing Directory, the command would look like this:

   PasswordCache mySsoPwd delete "Bind Password for LDAP Publishing
   Directory"

   If the password name string includes spaces, be sure to enclose the string in double quotes as indicated in the above example.

Creating a New Password Cache

If you have changed CMS startup so that the server prompts for all the required passwords, instead of just the single sign-on password, and want to revert back to starting the server with a single sign-on password, you must create a new password cache. Before creating a new password cache, decide on the single sign-on password to protect the cache.

To create a new, empty password cache:

1. Open a command window.

2. Go to this directory: <server_root>/cert-<instance_id>

3. At the prompt, enter the command below, substituting <sso_password> with a password to protect the cache:

   PasswordCache <sso_password> create

   For example, if the password you want to use to protect the single sign-on cache is mySsoPwd, the command would look like this:

   PasswordCache mySsoPwd create