Use an encrypted passphrase or a tools.properties file to enable the server and command-line tools to use credentials available but not store them in the clear.
Encrypt these files with the following considerations:
- If the file is encrypted with a key obtained from the server’s encryption settings database, the server and associated command-line tools retrieve the appropriate key from the encryption settings database, so the clear-text contents of the file are accessed without any interaction. However, if the cipher stream provider configured to protect the contents of the encryption settings database requires interaction, such as the wait for passphrase cipher stream provider, then command-line tools might require interaction to unlock the encryption settings database.
- If the file is encrypted with a passphrase that the user specifies rather than one
obtained from the encryption settings database, the user is interactively prompted for
that passphrase when running the tool. Note:
Do not use this option for key store and trust store PIN files that need to be accessed by the server.
You can encrypt these files using the
encrypt-file tool and the following
- Certificate keystore and truststore PIN files
- When setting up an instance with encryption and either SSL or StartTLS enabled, the installer automatically encrypts the PIN files for the config/keystore, config/truststore, and config/ads-truststore certificate databases.
- Command-line arguments
- Specify passphrase files using command-line arguments. Most LDAP tools offer
- The config/tools.properties file
- Use the config/tools.properties file to obtain a default set of
arguments for most command-line tools. Alternately, you can use the
--propertiesFilePathargument to specify an alternate properties file.
Encrypt a file with the server’s preferred encryption settings definition.
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted
To use a key from an encryption settings definition that isn't the default and specify
the ID of the desired encryption settings definition, use the
You can obtain the
--encryption-settings-idwith encryption-settings list.
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted \ --encryption-settings-id 4B6899D6716FC3AFFD71F7B447EB135063A0E724
To encrypt the file with a passphrase rather than a key from an encryption settings
definition, choose one of the following options:
- Use the
--prompt-for-passphraseargument to interactively prompt for the passphrase.
- Use the
--passphrase-fileargument to specify the path to a file containing the clear-text passphrase.
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted \ --prompt-for-passphrase
- Use the