Using a certificate key store to securely accessstore passwords from scripts

This page has not been liked. Updated 4/11/13, 11:52 AM by NikolaVoukTags: None

 

If you are scripting commands to tacmd or any other program and you require a password for login, it is better to keep passwords outside of your program on disk in cryptographic store rather than encoding them directly into your program.

 

 

Sample Script for storing and retrieving data from storage

 

#!/bin/bash

 

cd /opt/IBM/ITM/bin

# the easiest way to get proper paths is to use the

# the environment of the agents. Choose the proper any agent

# code in your environment

 

export GSK7BIN=`find .. -name gsk7capicmd_64`

export GSK7BINFILE=${GSK7BIN##*/}

 

export GSK7LIBS=`find .. -name lib64`

export GSK7LIBFILE=${GSK7LIBS##*/}

 

 

export GSK7BINPATH=${GSK7BIN%$GSK7BINFILE}

 

#export GSK7LIBPATH=${GSK7LIBS%$GSK7LIBFILE}

export GSK7LIBPATH=`find .. -name lib64`

 

export LIBPATH=$GSK7LIBPATH:$PATH

export LD_LIBRARY_PATH=$GSK7LIBPATH:$PATH

export PATH=$GSK7BINPATH:$PATH

 

 

# echo $LIBPATH

# echo $PATH

 

 

# change this password to something better and more random

# export CAPASSWORD=ABCDEFG

 

export CAPASSWORD=`${GSK7BIN} -random -create -length 14 -strong -fips |perl -MMIME::Base64 -ne 'print encode_base64($_)' | cut -c1-14`

 

/bin/rm -f ./Store.*

 

${GSK7BIN} -keydb -create -db ./Store.kdb -pw ${CAPASSWORD} -expire 3650 -fips

 

 

# newline is array delimiter

IFS=$'\n'

 

CERTLIST=(`${GSK7BIN} -cert -list -db ./Store.kdb -pw ${CAPASSWORD} -fips |grep "^\!" |perl -pi -e 's/!\t//'`)

 

element_count=${#CERTLIST[*]}

#echo "There are $element_count elements in the array"

 

# Clean out the trusted CA certificates

i="0"

while [ $i -lt $element_count ]

do

#echo $i \> Deleting ${CERTLIST[$i]}

${GSK7BIN} -cert -delete -db ./Store.kdb -pw ${CAPASSWORD} -label "${CERTLIST[$i]}" -fips

# step by 1

i=$[$i+1]

done

 

 

# you could use the label to keep the password or embed it as part of the dn

${GSK7BIN} -cert -create -db ./Store.kdb -pw ${CAPASSWORD} -label "itmca.raleigh.ibm.com" -size 2048 -dn "cn=itmca.raleigh.ibm.com,o=IBM,C=ServerPassword" -default_cert -expire 3695 -ca true -sigalg sha512 -fips

 

${GSK7BIN} -cert -list -db ./Store.kdb -pw ${CAPASSWORD} -fips

 

# display the certificate authority details

${GSK7BIN} -cert -details -db ./Store.kdb -pw "${CAPASSWORD}" -label "itmca.raleigh.ibm.com" -fips

 

PASSWORD=`${GSK7BIN} -cert -details -db ./Store.kdb -pw "${CAPASSWORD}" -label "itmca.raleigh.ibm.com" -fips | grep Issuer | cut -d= -f4`

 

echo Password is $PASSWORD