r12.0 SP3: How do I obfuscate (hash) the "dsa-password" or "ldap-dsa-password" in a DSAs knowledge file?

book

Article ID: 51364

calendar_today

Updated On:

Products

DIRECTORY SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

In previous builds of the Directory, the two passwords "dsa-password" and "ldap-dsa-password" were stored in clear-text, but an enhancement in r12.0 SP3 means that these passwords can now be hashed. Read this knowledge document for the process involved.

Solution:

The process of hashing the "dsa-password" and "ldap-dsa-password" values in a DSA's knowledge file involves two steps:

  1. Converting the plain text password to cipher text using the "dxpassword" CA Directory utility.
  2. Updating the DSAs knowledge file with the cipher text value.

Converting plain text using the "dxpassword" utility

Any DSAs knowledge file created using the "DXnewdsa" command will have a dsa-password of "secret". e.g.:

            set dsa "democorp" =            {            prefix = <c AU><o democorp>            dsa-name = <c AU><o democorp><cn "democorp">            dsa-password = "secret"             set dsa "router" =            {            prefix = <c AU>            dsa-name = <c AU><cn "router">            dsa-password = "secret"

To change the router's dsa-password to a value of "secret", execute the dxpassword command specifying the "CADIR" algorithm and provide the plaintext value of "secret" as parameters. The cipher text will be displayed on the screen e.g:

            >dxpassword -P CADIR secret             {CADIR}2ix/cSku

If you want to encrypt the plain text value of "password", the command would be as follows:

            >dxpassword -P CADIR password             {CADIR}2RqNRjmDUKw=

Updating the DSAs knowledge file with the cipher-text value

Once the cipher-text values have been generated, simply replace the dsa-password plain text value with the cipher-text value. Please ensure that the cipher-text value is enclosed using double quotes (").

If you have implemented a highly available directory backbone, then please ensure that any "remote" knowledge files are also updated (where applicable). For example, updating the router and democorp DSA knowledge files with the two cipher-text values generated above, would look like the following:

Router knowledge file

            set dsa "router" =            {                 prefix        = <c AU>                 dsa-name      = <c AU><cn "router">                 dsa-password  = "{CADIR}2ix/cSku"

Democorp knowledge file

            set dsa "democorp" =            {                 prefix        = <c AU><o Democorp>                 dsa-name      = <c AU><o Democorp><cn "democorp">                 dsa-password  = "{CADIR}2RqNRjmDUKw="

Remember to save the knowledge files after editing and ensure that the DSAs are stopped and started to refresh their runtime configuration.

Please Note: This same process can be performed to obfuscate the "ldap-dsa-password" when using DXlink to connect to third party LDAP servers.

Environment

Release:
Component: ETRDIR