For more information on using certutil, pk12util, and other NSS security tools, see NSS
Security Tools at
http://www.mozilla.org/projects/security/pki/nss/tools .
Managing Security of Passwords
In the Enterprise Server, the le domain.xml, which contains the specications for a particular
domain, initially contains the password of the Message Queue broker in clear text. The element
in the domain.xml le that contains this password is the admin-password attribute of the
jms-host element. Because this password is not changeable at installation time, it is not a
signicant security impact.
However, use the Admin Console to add users and resources and assign passwords to these
users and resources. Some of these passwords are written to the domain.xml le in clear text, for
example, passwords for accessing a database. Having these passwords in clear text in the
domain.xml le can present a security hazard. You can encrypt any password in domain.xml,
including the admin-password attribute or a database password. Instructions for managing the
security passwords is included in the following topics:
■
“Encrypting a Password in the domain.xml File” on page 99
■
“Protecting Files with Encoded Passwords” on page 100
■
“Changing the Master Password” on page 100
■
“Working with the Master Password and Keystores” on page 101
■
“Changing the Admin Password” on page 101
Encrypting a Password in the domain.xml File
To encrypt a password in the domain.xml le. Follow these steps:
1. From the directory where the domain.xml le resides (domain-dir/config by default), run
the following asadmin command:
asadmin create-password-alias --user admin alias-name
For example,
asadmin create-password-alias --user admin jms-password
A password prompt appears (admin in this case). Refer to the man pages for the
create-password-alias, list-password-aliases, delete-password-alias commands
for more information.
2. Remove and replace the password in domain.xml. This is accomplished using the asadmin
set command. An example of using the set command for this purpose is as follows:
asadmin set --user admin server.jms-service.jms-host.
default_JMS_host.admin-password=’${ALIAS=jms-password}’
ManagingSecurityofPasswords
Chapter9 • ConguringSecurity 99