Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 310

Chapter 12. Editing Configuration in the CS.cfg File
NOTE
If the password.conf file is present, the subsystem assumes that all the required
passwords are present and properly formatted in clear text. If any passwords are missing
or wrongly formatted, then the system will not start.
For the CA, DRM, OCSP, and TKS subsystems, the expected passwords are:
• internal for the NSS database
• internaldb for the internal LDAP database
• replicationdb for the replication password
• any passwords to access external LDAP databases for publishing (CA only)
NOTE
If a publisher is configured after the password.conf file is removed, nothing is
written to the password.conf file. The server simply prompts for the new publishing
password the next time that the instance restarts.
• any external hardware token passwords
For the TPS, this prompts for three passwords:
• internal for the NSS database
• tokendbpass for the internal LDAP database
• any external hardware token passwords
All of the passwords which will be prompted for when the subsystem instance starts are listed in the
cms.passwordlist in the CS.cfg file for the instance.
12.3.3.1. Configuring New Instances to Prompt for Passwords
To configure subsystem password prompts for a new CA, DRM, OCSP, or TKS instance, simply
remove the password.conf file in the /var/lib/subsystem_name/conf directory.
For the TPS:
1. Remove the password.conf file.
2. Edit the nss.conf file to change the NSSPassPhraseDialog from the password file to
builtin.
... original ...
NSSPassPhraseDialog
... updates ...
# commenting out this line to enable password prompts
# NSSPassPhraseDialog
288
defer:/var/lib/pki-tps/conf/password.conf
defer:/var/lib/pki-tps/conf/password.conf