This topic describes passwords for key databases. A key
database is used to store public keys that are used for secure connections.
About this task
When you create a new key database, you specify a key
database password. This password protects the private key. The private
key is the only key that can sign documents or decrypt messages that
are encrypted with the public key. Changing the key database password
frequently is a good practice.
Use the following guidelines
when specifying the password:
- The password must come from the U.S. English character set.
- The password must contain at least six characters and contain
at least two nonconsecutive numbers. Make sure that the password does
not consist of publicly obtainable information about you, such as
the initials and birth date for you, your spouse, or children.
- Stash the password.
Procedure
- Change the password for a key database using the gskcmd
command-line interface. Enter the following command as one line:
<ihsinst>/bin/gskcmd -keydb -changepw -db <filename>.kdb -pw <password> -new_pw <new_password> -expire <days> -stash
where:- -db <filename> is the name of the database.
- -changepw changes the password.
- -keydb specifies the command is for the key
database.
- -new_pw <new_password> is the new key
database password. This password must be different than the old password
and cannot be a NULL string.
- -pw <password> is the password to access
the key database.
- -expire <days> is the number of days
before password expires. This parameter is only valid for CMS key
databases.
- -stash stashes the password for the key database.
This parameter is only valid for CMS key databases. Stashing the password
is required for IBM® HTTP Server.
- Change the password using the GSKCapiCmd tool. GSKCapiCmd
is a tool that manages keys, certificates, and certificate requests
within a CMS key database. The tool has all of the functionality that
the existing GSKit Java command line tool has, except
GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage
key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage
all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
<ihsinst>/bin/gskcapicmd -keydb -changepw -db <name> [-crypto <module name> -tokenlabel <token label>] [-pw <passwd>] -new_pw <new passwd> [-expire <days>] [-stash] [-fips] [-strong]
Results
The key database now accepts the new password.