[AIX Solaris HP-UX Linux Windows]

Managing the database password using the command line

This topic describes passwords for key databases. A key database is used to store public keys that are used for secure connections.

About this task

When you create a new key database, you specify a key database password. This password protects the private key. The private key is the only key that can sign documents or decrypt messages that are encrypted with the public key. Changing the key database password frequently is a good practice.

Use the following guidelines when specifying the password:
  • The password must come from the U.S. English character set.
  • The password must contain at least six characters and contain at least two nonconsecutive numbers. Make sure that the password does not consist of publicly obtainable information about you, such as the initials and birth date for you, your spouse, or children.
  • Stash the password.


  • Change the password for a key database using the gskcmd command-line interface. Enter the following command as one line:
    install_root/bin/gskcmd -keydb -changepw -db filename 
    [-pw password | -stashed] -new_pw new_password -stash
    • -db filename is the name of the database.
    • -changepw changes the password.
    • -keydb specifies the command is for the key database.
    • -new_pw new_password is the new key database password. This password must be different than the old password and cannot be a NULL string.
    • -pw password is the password to access the key database.
    • -stashed indicates that the password for the key database should be recovered from the stash file.
    • -stash stashes the password for the key database. This parameter is only valid for CMS key databases. Stashing the password is required for IBM® HTTP Server.
  • Change the password using the GSKCapiCmd tool.
    GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing IBM Global Security Kit (GSKit) Java™ command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
    install_root/bin/gskcapicmd -keydb -changepw 
    -db name [-crypto module_name -tokenlabel token_label]
    [-pw password | -stashed] -new_pw new_password [-stash] [-fips] [-strong]


The key database now accepts the new password.