Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 87

However, storing passwords in clear text can be dangerous. Setting proper file permissions protects
this file. Alternatively, the password.conf file can be by-passed by doing the following:
1. Back up the password.conf file.
2. Remove the password.conf file.
rm password.conf
3. Create a pipe corresponding to password.conf.
mkfifo password.conf
4. With the password.conf pipe, start the subsystem instance.
a. Run the standard start script. For example:
/etc/init.d/rhpki-ca start
b. Monitor the Tomcat web server log file, catalina.out, and the debug log. For example:
tail -f /var/lib/rhpki-ca/logs/catalina.out /var/lib/rhpki-ca/logs/debug
The server process will hang as it restarts because it is waiting for the input from the default
password.conf file.
c. Redirect the password to the password.conf pipe. Assuming that the backup file for
password.conf is called password.bak, run cat password.bak > password.conf.
Repeat this command until the server is fully started; this is apparent in the debug log.
This process still uses a clear text password file, password.bak, but this moves the password store
so that it is external to the Certificate System instance and can be stored anywhere, such as a smart
card. This only requires a utility which can reconstruct the original password file. For example, this
processes uses the zip tool to protect the password file:
1. Zip and protect the password.conf file using zip.
zip -e secret.zip password.conf
2. Delete the password.conf file, and create a pipe called password.conf.
3. Run the regular start script.
4. Monitor the Tomcat web server log, catalina.out, and the debug log.
5. Provide the passwords to the subsystem instance by running the following:
unzip -c secret.zip password.conf > password.conf
This is a simple and very flexible way to protect the clear text password file while still allowing
passwords to be managed easily through a text editor.
Protecting the password.conf File
65