r12.0 SP3: How do I obfuscate (hash) the "dsa-password" or "ldap-dsa-password" in a DSAs knowledge file?

Document ID : KB000051364
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

In previous builds of the Directory, the two passwords "dsa-password" and "ldap-dsa-password" were stored in clear-text, but an enhancement in r12.0 SP3 means that these passwords can now be hashed. Read this knowledge document for the process involved.

Solution:

The process of hashing the "dsa-password" and "ldap-dsa-password" values in a DSA's knowledge file involves two steps:

  1. Converting the plain text password to cipher text using the "dxpassword" CA Directory utility.
  2. Updating the DSAs knowledge file with the cipher text value.

Converting plain text using the "dxpassword" utility

Any DSAs knowledge file created using the "DXnewdsa" command will have a dsa-password of "secret". e.g.:

            set dsa "democorp" =            {            prefix = <c AU><o democorp>            dsa-name = <c AU><o democorp><cn "democorp">            dsa-password = "secret"             set dsa "router" =            {            prefix = <c AU>            dsa-name = <c AU><cn "router">            dsa-password = "secret"

To change the router's dsa-password to a value of "secret", execute the dxpassword command specifying the "CADIR" algorithm and provide the plaintext value of "secret" as parameters. The cipher text will be displayed on the screen e.g:

            >dxpassword -P CADIR secret             {CADIR}2ix/cSku

If you want to encrypt the plain text value of "password", the command would be as follows:

            >dxpassword -P CADIR password             {CADIR}2RqNRjmDUKw=

Updating the DSAs knowledge file with the cipher-text value

Once the cipher-text values have been generated, simply replace the dsa-password plain text value with the cipher-text value. Please ensure that the cipher-text value is enclosed using double quotes (").

If you have implemented a highly available directory backbone, then please ensure that any "remote" knowledge files are also updated (where applicable). For example, updating the router and democorp DSA knowledge files with the two cipher-text values generated above, would look like the following:

Router knowledge file

            set dsa "router" =            {                 prefix        = <c AU>                 dsa-name      = <c AU><cn "router">                 dsa-password  = "{CADIR}2ix/cSku"

Democorp knowledge file

            set dsa "democorp" =            {                 prefix        = <c AU><o Democorp>                 dsa-name      = <c AU><o Democorp><cn "democorp">                 dsa-password  = "{CADIR}2RqNRjmDUKw="

Remember to save the knowledge files after editing and ensure that the DSAs are stopped and started to refresh their runtime configuration.

Please Note: This same process can be performed to obfuscate the "ldap-dsa-password" when using DXlink to connect to third party LDAP servers.