Troubleshooting
Problem
This technote details the two options available for updating a key database password after it has expired.
Symptom
If the key database password expires, you must update it so that your ssl environment continues to function correctly. There are two options for updating the expired key database password, from command line or using the GSKit ikeyman utility. Once the password has been updated, you must also update the ibmslapd.conf file to reflect the new password.
Option 1. Updating the expired key database password from command line:
- The change password command allows the user to change the password associated with the specified key database. When changing the password for a key database, all key records containing encrypted private key information have the private key data re-encrypted. The new password is used as input to create the new encryption key used during the encryption process.
The syntax for changing the password of an existing key database with GSKCapiCmd
is as follows:
With Directory Server V6.2 or below - use GSKit v7 based gsk7capicmd_64 / gsk7capicmd:
- gsk7capicmd -keydb -changepw -db <name> [-crypto <module name> -tokenlabel <token label>] [-pw <passwd>] -new_pw <new passwd> [-expire <days>] [-stash]
gsk8capicmd -keydb -changepw -db <name> [-crypto <module name> -tokenlabel <token label>] [-pw <passwd>] -new_pw <new passwd> [-expire <days>] [-stash]
There are three options for updating the configuration file with the new Key Database Password.
- Hand edit the ibmslapd.conf file
- Use an idsldapmodify (ldapmodify) command
- Use the Web Aministration tool
1.1.2 In this example I will show how to update the file using the modify command:
Create an ldif file as shown below:
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: <new password>
***Note: replace <new password> with the new password for your Key Database
1.1.2 Then with the ITDS server running issue the modify command:
On ITDS v6.x:
idsldapmodify -p <port> -D <adminDn> -w <admin password> -i <file name>
On ITDS v5.2:
ldapmodify -D <adminDn> -w <admin password> -i <file name>
**Note: where <filename> is replaced with the file you created in step 1.1.2
1.1.3 Then restart the server and the administration daemon
On ITDS v6.x:
# ibmslapd –I <instance name> -k
# ibmdiradm –I <instance name> -k
# ibmdiradm –I <instance name>
# ibmslapd –I <instance name> -n
On ITDS v5.2:
# ibmdirctl -h <hostname> -D <adminDN> -w <password> -p <portnumber> stop
# ibmdirictl -D <adminDN> -w <adminPW> admstop
# ibmdiradm
# ibmdirctl -h <hostname> -D <adminDN> -w <password> -p <portnumber> start
With Directory Server V6.2 or below - use GSKit v7 based gsk7capicmd_64 / gsk7capicmd:
- Invoke the GSKit ikeyman utility by issuing "gsk7ikm" from the command line.
- With Directory Server V6.3 or later - use GSKit v8 based gsk8capicmd_64 / gsk8capicmd:
- Invoke the GSKit "ikeyman" utility by issuing "ikeyman" from <LDAPHOME>/java/jre/bin folder via command line.
2.1 Select "Key Database File" -> "Open"
2.2 Enter the Name and Location of the Key Database File and Click "OK"
2.3 You will see the following pop-up dialog, Click "Yes" to reset the password.
2.4 Enter a new password and a new expiration time and click "OK". If you are using a password stash file, remember to generate a new stash file by selecting the "Stash the password to a file" check box.
2.5 If this is the Key Database that the ITDS server is configured to use, you must update the ibmslapd.conf file to reflect the new password.
There are three options for updating the configuration file with the new Key Database Password.
- Hand edit the ibmslapd.conf file
- Use an idsldapmodify (ldapmodify) command
- Use the Web Aministration tool
2.5.1 In this example I will show how to update the file using the modify command:
- Create an ldif file as shown below:
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: <new password>
***Note: replace <new password> with the new password for your Key Database
- On ITDS v6.x:
idsldapmodify -p <port> -D <adminDn> -w <admin password> -i <file name>
On ITDS v5.2:
ldapmodify -D <adminDn> -w <admin password> -i <file name>
- **Note: where <filename> is replaced with the file you created in step 2.5.1
On ITDS v6.x:
# ibmslapd –I <instance name> -k
# ibmdiradm –I <instance name> -k
# ibmdiradm –I <instance name>
# ibmslapd –I <instance name> -n
On ITDS v5.2:
# ibmdirctl -h <hostname> -D <adminDN> -w <password> -p <portnumber> stop
# ibmdirictl -D <adminDN> -w <adminPW> admstop
# ibmdiradm
# ibmdirctl -h <hostname> -D <adminDN> -w <password> -p <portnumber> start
[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2;6.0;6.1;6.2;6.3;6.3.1;6.4","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21284086