During CMS installation, the installation program creates a password cache which the CMS watchdog uses to store all the passwords required by the server during start up (see "Required Start-up Information"). For example, when you specify the cryptographic token password and the bind password for the internal directory during installation, the watchdog adds these passwords into the password cache; similarly, when you configure the server for LDAP publishing from Netscape Console, the watchdog adds the corresponding password to the cache.
The password cache is maintained in a triple-DES encrypted file named pwcache.p12, which is located here:
<server_root>/cert-<instance_id>/config
The file is protected using the single sign-on password you specify during installation. In the cache, passwords are stored along with a name, a string describing the usage of the password, which is used by Certificate Management System to index into the cache. For example, the contents of the password cache could look like this:
----- Password Cache -----
Internal LDAP Database : myIdbPwd
Internal Key Storage Token : myTokenPwd
Authentication : myPinAuthPwd
LDAP Publishing : myLdapPubPwd
Note that in the above example
Other entries may appear in the password cache. For example, if you set up PIN-based authentication with the remove PIN option, you will see an entry for the password Certificate Management System uses to bind to the authentication directory to remove a PIN after a user successfully authenticates; for details, see Table 10.3. Similarly, if you enable LDAP publishing with basic authentication, you will also see an entry for the password Certificate Management System will use to bind to the publishing directory; for details, see "Step 5. Identify the Publishing Directory".
Except for the string Internal LDAP Database, you can change any of the above prompts by modifying the corresponding value in the configuration file and then replacing (delete the old item and add the new item) the current entry in the password cache with the new prompt and the password using the PasswordCache utility explained in "Password Cache Utility".
When various modules in the server, such as authentication and LDAP publishing, initialize, they query the password cache for the password. The password cache returns the password if it has it, or else it prompts the user for one. Note that this prompting happens only at server startup time, which means whenever you change any of the required passwords or provide new passwords, you must restart the server from the command-line (see "Starting From the Command Line") so that the watchdog can prompt you for the new passwords in order to update the cache.
Password Cache Utility
Certificate Management System comes with a command-line utility named PasswordCache for manipulating the contents of the password cache. You will be required to manipulate the password cache for various reasons. For example, assume you've enabled LDAP publishing and have configured Certificate Management System to bind to the directory with Directory Manager's DN and password. If the directory administrator changes the Directory Manager's password, Certificate Management System will fail to bind to the directory during startup. You can resolve this problem by modifying the corresponding bind password in the cache using the PasswordCache utility.
Locating the PasswordCache Utility
The PasswordCache utility is located with the rest of the command-line tools here: <server_root>/bin/cert/tools
Note
You must run the PasswordCache utility from the <server_root>/cert-
<instance_id> directory.
Syntax
You can run the utility by executing the following command from the <server_root>/cert-<instance_id> directory:
PasswordCache <sso_password> <command>
Managing the Password Cache
You can use the PasswordCache utility for the following:
Note
The server queries the password cache only during start up, and hence
recongnizes the changes you've made to the cache only if you restart the server
from the command line. If you left any of the passwords blank, the server will
prompt you to enter that during startup and from then on stores it in the
password cache.
Changing the Single Sign-On Password
To change the single sign-on password:
Open a command window.
Go to this directory: <server_root>/cert-<instance_id>
At the prompt, enter the command below, substituting <sso_password> with the single sign-on password and <new_sso_password> with the new single sign-on password.
PasswordCache <sso_password> changesso <new_sso_password>
For example, if your old password is mySsoPwd and new password is
myNewSsoPwd, the command would look like this:
PasswordCache mySsoPwd changesso myNewSsoPwd
Listing the Contents of the Password Cache
To list or view the contents of the password cache:
Open a command window.
Go to this directory: <server_root>/cert-<instance_id>
At the prompt, enter the command below, substituting <sso_password> with the single sign-on password:
PasswordCache <sso_password> list
For example, if your single sign-on password is mySsoPwd, the command
would look like this:
PasswordCache mySsoPwd list
In response, you should see something similar to this:
----- Password Cache -----
Internal LDAP Database : myIdbPwd
Internal Key Storage Token : myTokenPwd
LDAP Publishing: myLdapPubPwd
Adding a New Entry to the Password Cache
To add a new entry to the cache:
Open a command window.
Go to this directory: <server_root>/cert-<instance_id>
At the prompt, enter the command below, substituting <sso_password> with the single sign-on password, <password_name> with a string describing the password usage, and <password> with the actual password:
PasswordCache <sso_password> add <password_name> <password>
For example, if your single sign-on password is mySsoPwd, the string
describing the password usage is Bind Password for LDAP Publishing
Directory, and password is myLdapPubPwd, the command would look like
this:
PasswordCache mySsoPwd add "Bind Password for LDAP Publishing
Directory" myLdapPubPwd
If the password name string includes spaces, be sure to enclose the string in
double quotes as indicated in the above example.
Changing the Password of an Entry in the Password Cache
To change the password associated with an entry in the password cache:
Open a command window.
Go to this directory: <server_root>/cert-<instance_id>
At the prompt, enter the command below, substituting <sso_password> with the single sign-on password, <password_name> with the string that describes the password usage, and <password> with the new password:
PasswordCache <sso_password> change <password_name>
<password>
For example, if your single sign-on password is mySsoPwd, the string
describing the password usage is Bind Password for LDAP Publishing
Directory, and the new password is myNewLdapPubPwd, the command
would look like this:
PasswordCache mySsoPwd change "Bind Password for LDAP
Publishing Directory" myNewLdapPubPwd
If the password name string includes spaces, be sure to enclose the string in
double quotes as indicated in the above example.
Deleting an Entry From the Password Cache
To delete an entry from the cache:
Open a command window.
Go to this directory: <server_root>/cert-<instance_id>
At the prompt, enter the command below, substituting <sso_password> with the single sign-on password and <password_name> with the string that describes the password usage:
PasswordCache <sso_password> delete <password_name>
For example, if your single sign-on password is mySsoPwd and the string
describing the password usage is Bind Password for LDAP Publishing
Directory, the command would look like this:
PasswordCache mySsoPwd delete "Bind Password for LDAP
Publishing Directory"
If the password name string includes spaces, be sure to enclose the string in
double quotes as indicated in the above example.
Creating a New Password Cache
If you have changed CMS startup so that the server prompts for all the required passwords, instead of just the single sign-on password, and want to revert back to starting the server with a single sign-on password, you must create a new password cache. Before creating a new password cache, decide on the single sign-on password to protect the cache.
To create a new, empty password cache:
Open a command window.
Go to this directory: <server_root>/cert-<instance_id>
At the prompt, enter the command below, substituting <sso_password> with a password to protect the cache:
PasswordCache <sso_password> create
For example, if the password you want to use to protect the single sign-on
cache is mySsoPwd, the command would look like this:
PasswordCache mySsoPwd create