Sun Java System Web Server 6.1 SP9 Administrator's Guide

Using password.conf

By default, the web server prompts the administrator for the key database password before starting. If you want to be able to restart an unattended web server, you need to save the password in a password.conf file. Only do this if your system is adequately protected so that this file and the key databases are not compromised.

Normally, you cannot start an UNIX SSL-enabled server with the /etc/rc.local or the /etc/inittab files because the server requires a password before starting. Although you can start an SSL-enabled server automatically if you store the password in plain-text format in a file, this is not recommended. The server’s password.conf file should be owned by root or the user who installed the server, allowing only the owner to have read and write access to the file.

On UNIX platform, leaving the SSL-enabled server’s password in the password.conf file is a large security risk. Anyone who can access the file has access to the SSL-enabled server’s password. Consider the security risks before keeping the SSL-enabled server’s password in the password.conf file.

If you have an NTFS file system on a windows, you should protect the directory that contains the password.conf file by restricting its access, even if you do not use the file. The directory should have read/write permissions for the administration server and the web server users. Protecting the directory prevents others from creating a false password.conf file. You cannot protect directories or files on FAT file systems by restricting access to them.

ProcedureTo start an SSL-enabled server automatically

If security risks are not a concern for you, follow these steps to start your SSL-enabled server automatically:

  1. Make sure SSL is activated.

  2. Create a new password.conf file in the config subdirectory of the server instance.

    • If you are using the internal PKCS#11 software encryption module that is provided with the server, enter the following information:


      • If you are using a different PKCS#11 module (for hardware encryption or hardware accelerators), specify the name of the PKCS#11 module, followed by the password. For example:


  3. Stop and restart your server for the new setting to take effect.

    You will always be prompted to supply a password when starting the web server, even after the password.conf file has been created.