idsgendirksf

Use the idsgendirksf command to regenerate a key stash file for a directory server instance.

Description

The idsgendirksf command uses the encryption seed and salt values of an instance to regenerate a key stash file for an instance. The encryption seed is the seed value that you supplied when you created the instance. The encryption salt value can be obtained by searching the cn=crypto,cn=localhost entry in the instance. The attribute that hold salt value is ibm-slapdCryptoSalt. The encryption seed and salt values is used to regenerate the ibmslapddir.ksf file for an instance.

If you use characters that have special meaning to the shell program in the encryption seed or salt, then you must use the escape character before such characters. To determine the acceptable character set for encryption seed and salt values, see ASCII characters from 33 to 126.

For example, on AIX®, if you use the ` character for the salt value by using the -s parameter, you must precede the ` character with the \ character.

On AIX, Linux®, and Solaris systems, after you run the idsgendirksf command, the ownership of the ibmslapddir.ksf file is root:system. You must change the ownership of this file to directory_server_instance owner:instance_owner_group.

Synopsis

 idsgendirksf [-s salt [-e encrypt_seed] -l location
              [-d debug_level] [-b output_file] [-q] [-n]] | -v | -?

Options

The idsgendirksf command takes the following parameters.

-b output_file: Specifies the full path of a file to redirect console output. If you use this parameter with the -q parameter, errors are sent to the output_file file. If debug mode is set, then the debug output is sent to this file.
-d debug_level: Sets the LDAP debug level to debug_level. If you specify this parameter, the command sends the debug output to stdout. The debug_level value is a bit mask that controls which output is generated with values from 1 to 65535. For more information about debug levels, see Debugging levels.
-e ? | encrypt_seed: Specifies the encryption seed value that was used to create the directory key stash file of the server. The encryption seed must contain only printable ISO-8859–1 ASCII characters with values in the range of 33 to 126. The encryption seed must be a minimum of 12 and a maximum of 1016 characters in length. For more information about acceptable characters, seeASCII characters from 33 to 126. To generate a password prompt, use ?. The password prompt prevents your encryption seed from being visible through the ps command.
-l location: Specifies the location to create the directory key stash file.
-n: Specifies to run in no prompt mode. All output from the command is generated, except for messages that require user interaction.
-q: Specifies to run in quiet mode. All output from the command is suppressed, except for error messages. If you also specify the -d parameter, then the trace output is not suppressed.
-s encryption_salt: Specifies the encryption salt value that is used to create the directory key stash file. The encryption salt value can be obtained by searching the cn=crypto,cn=localhost entry in the instance. The attribute that hold salt value is ibm-slapdCryptoSalt.
-v: Specifies to show the version information of the command.
-?: Specifies to show the syntax help.

Examples

Example 1:

To regenerate the key stash file for the directory server instance, myinst, run the following command. For example:

idsgendirksf -e mysecretseed –s mysecretsaltvalue -l /home/mydir/tmp

After you generate the key stash file, copy the ibmslapddir.ksf file to the idsslapd-myinst/etc directory.