This topic describes passwords for key databases. A key database
is used to store public keys that are used for secure connections.
About this task
When you create a new key database, you specify a key database
password. This password protects the private key. The private key is the only
key that can sign documents or decrypt messages that are encrypted with the
public key. Changing the key database password frequently is a good practice.
Use
the following guidelines when specifying the password:
- The password must come from the U.S. English character set.
- The password must contain at least six characters and contain at least
two nonconsecutive numbers. Make sure that the password does not consist of
publicly obtainable information about you, such as the initials and birth
date for you, your spouse, or children.
- Stash the password.
Procedure
- Change the password for a key database using the gsk7cmd command-line
interface. Enter the following command as one line:
<ihsinst>/bin/gsk7cmd -keydb -changepw -db <filename>.kdb -pw <password> -new_pw <new_password> -expire <days> -stash
where:
- -db <filename> is the name of the database.
- -changepw changes the password.
- -keydb specifies the command is for the key database.
- -new_pw <new_password> is the new key database password.
This password must be different than the old password and cannot be a NULL
string.
- -pw <password> is the password to access the key database.
- -expire <days> is the number of days before password expires.
This parameter is only valid for CMS key databases.
- -stash stashes the password for the key database. This parameter
is only valid for CMS key databases. Stashing the password is required for IBM® HTTP
Server.
- Change the password using the GSKCapiCmd tool. GSKCapiCmd
is a tool that manages keys, certificates, and certificate requests within
a CMS key database. The tool has all of the functionality that the existing
GSKit Java™ command
line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If
you plan to manage key databases other than CMS or PKCS11, use the existing Java tool.
You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd
does not require Java to be installed on the system.
<ihsinst>/bin/gsk7capicmd -keydb -changepw -db <name> [-crypto <module name> -tokenlabel <token label>] [-pw <passwd>] -new_pw <new passwd> [-expire <days>] [-stash] [-fips] [-strong]
Results
The key database now accepts the new password.