This section describes the program (pr0pass) used to encrypt passwords for parameters in the configuration files.
If the administrator has set up file permissions as described in Securing the Products, only the owner, members of the group that includes the owner, and the root user can view (read) the configuration files, and only the owner or the root user can update (write) the configuration files.
The user account used to start pr0svce must have read access to the pstserv.cfg file, while the Command Line Utility (pr0cmnd) must have read access to the pstlocal.cfg file. (For details about the configuration files, refer to Pstserv Configuration File and Pstlocal Configuration File for the Command Line Utility.)
Parameters in both configuration files may include system user ids (i.e., filelogon, webserver, server, and tivoliavail), DBMS logons (i.e., pstdir and dbalias) with passwords. To secure passwords for configuration parameters, you can use an encrypted password file, separate from the configuration files. The pr0pass program maintains the password file, encrypting passwords for parameters in the configuration files.
By default, the password file is installed in the /etc/pstpass subdirectory to the PSTHOME directory. However, you can override the location and name of the file by providing the full path and file name in PSTPASS, an environment variable. (Refer to RTSETENV Shell Script for a description of the PSTPASS environment variable.) Users that can start pr0svce or execute pr0cmnd or pr0coms must have permission to read the password file and users that use pr0pass must be able to write to the password file.
To use encrypted passwords:
This section describes the commands you can use with a password file.
The following command line actions are available to help you edit an encrypted password file.
If type is pstdir, the default "%" indicates any Optim Directory. If type is dbalias, use the form pstdir:dbalias. The default "%" indicates any Optim Directory or DB Alias, as in %:%, pstdir:%, or %:dbalias.
This section includes examples of using the Add command.
The following examples demonstrate using the Add command for the pr0pass program and indicating encrypted passwords in the configuration file.
This section describes how to protect the password file.
By default, the owner and the root user have write access to the password file and can use the commands, pr0pass -a or pr0pass -d, to update the password file.
To allow other members of the group to update the password file, you must use the chmod command to change permissions to the password file. For example, the following command adds write permission to the group for the pstpass file.
chmod g+w <installdir>/etc/pstpass
This allows members of the group to maintain passwords for their accounts. However, if members of the group other than the owner have write permission, anyone in the group can delete a password or the password file, at the risk of disabling the product or requiring reentry of all affected passwords.
This section describes how to protect the configuration files.
It is recommended that you allow only the owner or the root user to update the configuration files. Maintenance of the configuration file does not require knowledge of the actual passwords if group members are allowed to update the password file since the character “?” can be specified for the passwords.