Administration GuideManage User Accounts and PasswordsAdminister Passwords › Hide Passwords in Knowledge Files

Previous Topic: Convert Passwords Already in a DSA to a New Encryption Method

Next Topic: Use a Password Proxy User

Hide Passwords in Knowledge Files

The knowledge file for a DSA can contain the passwords for other DSAs and for LDAP servers, which allows the DSA to authenticate those other DSAs and LDAP servers. However, because the knowledge file is in plain text, this is a security risk.

The DXpassword tool can produce obfuscated passwords, by specifying the encryption method CADIR. This helps shield passwords in configuration files from users with access to the computer running the DSA.

To hide passwords in knowledge files

  1. Identify the password of the remote DSA or LDAP server.
  2. Use the DXpassword tool to encrypt the password using the CADIR option: 
    dxpassword -P CADIR password

    The output contains the hashed password.

  3. Copy the entire output into the knowledge file, replacing the clear-text password.
  4. Save the file and stop and start the DSA.

Example: Hide an LDAP server's password

In this example, the password for the LDAP server is HelloThere. The DSA knowledge file currently contains the following line: 

ldap-dsa-password = "HelloThere"
  1. Use the DXpassword tool to encrypt the password using the CADIR option: 
    dxpassword -P CADIR HelloThere
  2. Note the output from the DXpassword tool: 
    {CADIR}4YuDX1xmndSL7A==
  3. Include the entire output in the knowledge file: 
    ldap-dsa-password = "{CADIR}4YuDX1xmndSL7A=="
  4. Save the knowledge file and stop and start the DSA.