System Passwords; Protecting The Password.conf File - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Chapter 3. Administrative Basics
If the procedure is successful, the command prints the following:
pk12util: PKCS12 IMPORT SUCCESSFUL
Start the Console; now, it prompts for a certificate.

3.3. System Passwords

The Certificate System stores passwords used to bind to servers or to unlock tokens when the server
starts in a plain text file, password.conf.
Passwords for the internal database and other database-related passwords for optional features are
stored in a plain text file, password.conf, in the subsystem conf/ directory. The passwords stored
within it are used to bind to the various Certificate System services. Since the password.conf file is
in clear text, it is possible to modify them simply through a text editor.
The list of passwords stored in this file includes the following:
• The bind password used by the Certificate System instance to access and update the internal
database.
• The bind password used by the Certificate System instance to access and remove PINs from
the authentication directory, if the Certificate System is configured to remove PINs from the
authentication directory.
• The bind password used by the subsystem to access and update the LDAP directory; this is
required only if the Certificate System instance is configured for publishing certificates and CRLs to
an LDAP-compliant directory.
• For a TPS instance, the bind password used to access and update the token database.
The password.conf file also contains the token passwords needed to open the private keys of the
subsystem.
• For a Certificate Manager, the token password unlocks the private keys for the Certificate Manager's
CA signing, SSL server, subsystem, and OCSP signing certificates.
• For a DRM, the token password unlocks the private keys for the DRM's storage, transport,
subsystem, and SSL server certificates.
• For an OCSP, the token password unlocks the private keys for the OCSP's signing, subsystem, and
SSL server certificates.
• For a TPS, the token password unlocks the private keys for the subsystem and SSL server
certificates.

3.3.1. Protecting the password.conf File

Certificate System centralizes all passwords in a clear-text file, password.conf, in the conf
directory. The default configuration creates and stores all required passwords in this file, which
keeps password management simple and clean and allows the file to be edited in a text editor and
passwords to be manually added, deleted, or modified.
62