Securing the Configuration Files

This section describes the program (pr0pass) used to encrypt passwords for parameters in the configuration files.

If the administrator has set up file permissions as described in Securing the Products, only the owner, members of the group that includes the owner, and the root user can view (read) the configuration files, and only the owner or the root user can update (write) the configuration files.

The user account used to start pr0svce must have read access to the pstserv.cfg file, while the Command Line Utility (pr0cmnd) must have read access to the pstlocal.cfg file. (For details about the configuration files, refer to Pstserv Configuration File and Pstlocal Configuration File for the Command Line Utility.)

Password File

Parameters in both configuration files may include system user ids (i.e., filelogon, webserver, server, and tivoliavail), DBMS logons (i.e., pstdir and dbalias) with passwords. To secure passwords for configuration parameters, you can use an encrypted password file, separate from the configuration files. The pr0pass program maintains the password file, encrypting passwords for parameters in the configuration files.

By default, the password file “pstpass” is created in subdirectory etc of directory PSTHOME. However, you can override the location of the file by providing the full path in the environment variable PSTPASS. Note that “etc/” is catenated to the end of the value provided in PSTPASS, so be sure that subdirectory etc exists under what is specified in the environment variable PSTPASS. (Refer to RTSETENV Shell Script for a description of the PSTPASS environment variable.) Users that can start pr0svce or execute pr0cmnd or pr0coms must have permission to read the password file and users that use pr0pass must be able to write to the password file.

Note: Do not move the password file to another system; to do so will corrupt the file.

To use encrypted passwords:

  • Execute pr0pass from the Command Line to add the passwords. You must be logged on to the Install directory as the owner, as a user within the fenced group, or as the root user.
  • Within the configuration files, specify a question mark (?) for the password to retrieve the password from the password file.

Commands

This section describes the commands you can use with a password file.

The following command line actions are available to help you edit an encrypted password file.

pr0pass -l
List the type, name, and user id for passwords in the file.
pr0pass -h
pr0pass -?
Display the help for the pr0pass program.
pr0pass -a type name userid password
Add a password entry. The password is encrypted until passed to the DBMS or system for validation.
type
A valid password type:
  • filelogon
  • webserver
  • server
  • tivoliavail
  • pstdir
  • dbalias
  • user
Note: "User" is not a parameter in a configuration file; it refers to any system user id. Specify the "user" parameter type for any parameter referring to a system user account.

If type is pstdir, the default "%" indicates any Optim Directory. If type is dbalias, use the form pstdir:dbalias. The default "%" indicates any Optim Directory or DB Alias, as in %:%, pstdir:%, or %:dbalias.

name
The name of the configuration file parameter. Names not associated with other types are system; use "%" for the name value to prevent an error.
userid
The user id is used to verify that the password matches the parameter name. To protect changes to the password file or the configuration file, the two keywords must match.
password
The password that matches the user id.
Note: If you do not enter a password on the Command Line, pr0pass prompts for one.
pr0pass -d type name userid
Delete a password entry.
type
A valid password type:
  • filelogon
  • webserver
  • server
  • tivoliavail
  • pstdir
  • dbalias
  • user
name
The name of the configuration file parameter.
Note: Use the wildcard character "%" as described for adding a password entry.
userid
The user ID used to verify that the password matches the parameter name. To protect changes to the password file or the configuration file, the two keywords must match.

Examples

This section includes examples of using the Add command.

The following examples demonstrate using the Add command for the pr0pass program and indicating encrypted passwords in the configuration file.

  1. To encode the password for the Optim Directory, PSTDIR1, create a password, as follows: 
    pr0pass -a pstdir pstdir1 myuserid mypassword

    In the configuration file for PSTDIR1, specify the password as a question mark (?):

    pstdir pstdir1 Oracle 8.0 schema connectstr * myuserid ?
  2. To encode the password for the DBALIAS, specify both the Optim Directory to which it belongs and the DB Alias name: 
    pr0pass -a dbalias pstdir1:dbalias1 myuserid mypassword

    And in the configuration file, specify:

    dbalias pstdir1 dbalias1 connectstr myuserid ?
  3. To encode a single password for a specific user account to access any Optim Directory or DB Alias, use a percent sign (%) for the name. For example: 
    pr0pass -a pstdir % myuserid mypassword
pr0pass -a dbalias %:% myuserid mypassword

    This example would provide a password for the following parameters in the configuration file:

    pstdir pstdir1 Oracle 8.0 schema connectstr * myuserid ?
pstdir pstdir2 Oracle 8.0 schema connectstr * myuserid ?
dbalias pstdir1 dbalias1 connectstr myuserid ?
dbalias pstdir1 dbalias2 connectstr myuserid ?
dbalias pstdir2 dbalias3 connectstr myuserid ?

    But would not provide a password for these parameters in the configuration file: 

    pstdir pstdir3 Oracle 8.0 schema connectstr * otherid ?
dbalias pstdir1 dbalias3 connectstr * otherid ?

Protecting the Password File

This section describes how to protect the password file.

By default, the owner and the root user have write access to the password file and can use the commands, pr0pass -a or pr0pass -d, to update the password file.

To allow other members of the group to update the password file, you must use the chmod command to change permissions to the password file. For example, the following command adds write permission to the group for the pstpass file.

chmod g+w <installdir>/etc/pstpass

This allows members of the group to maintain passwords for their accounts. However, if members of the group other than the owner have write permission, anyone in the group can delete a password or the password file, at the risk of disabling the product or requiring reentry of all affected passwords.

Protecting the Configuration Files

This section describes how to protect the configuration files.

It is recommended that you allow only the owner or the root user to update the configuration files. Maintenance of the configuration file does not require knowledge of the actual passwords if group members are allowed to update the password file since the character “?” can be specified for the passwords.

Note: Group members who can modify the configuration file would be able to obtain additional privileges to the Optim Directory or DB Alias, or execute client processes under any identifier.