Use an encrypted passphrase or a tools.properties file to enable the server and command-line tools to use credentials available but not store them in the clear.
Encrypt these files with the following considerations:
- If the file is encrypted with a key obtained from the server’s encryption settings database, the server and associated command-line tools retrieve the appropriate key from the encryption settings database, so the clear-text contents of the file are accessed without any interaction. However, if the cipher stream provider configured to protect the contents of the encryption settings database requires interaction, such as the wait for passphrase cipher stream provider, then command-line tools might require interaction to unlock the encryption settings database.
- If the file is encrypted with a passphrase that the user specifies rather than one
obtained from the encryption settings database, the user is interactively prompted for
that passphrase when running the tool. Note:
Do not use this option for key store and trust store PIN files that need to be accessed by the server.
You can encrypt these files using the encrypt-file
tool and the following
tools:
- Certificate keystore and truststore PIN files
- When setting up an instance with encryption and either SSL or StartTLS enabled, the installer automatically encrypts the PIN files for the config/keystore, config/truststore, and config/ads-truststore certificate databases.
- Command-line arguments
- Specify passphrase files using command-line arguments. Most LDAP tools offer
--bindPasswordFile
,--keystorePasswordFile
, and--truststorePasswordFile
arguments. - The config/tools.properties file
- Use the config/tools.properties file to obtain a default set of
arguments for most command-line tools. Alternately, you can use the
--propertiesFilePath
argument to specify an alternate properties file.