Forgot SSL Database password in Sun Web server 6.1?

One common question is what to do when you forgot the SSL security database password in Sun Web server 6.1SPx (or your predecessor did not tell you this before he/she left the company, etc.). This is the password you will be asked everytime when you want to start up the SSL enabled web server instance in 6.1SPx,

e.g.

apple:/export/home/iws6.1sp9> https-apple.asia.sun.com/start
Sun ONE Web Server 6.1SP9 B01/11/2008 14:24
Please enter password for "internal" token:   <-- this is the security database password

Sorry, there is not much you can do in this case. You will need to re-initialize the security database with a new password, e.g. see

http://docs.sun.com/source/817-1831-10/agcert.html#wp1004127 (6.1)

then you will need to request a new SSL certificate from the CA and so on, 

see

http://docs.sun.com/source/817-1831-10/agcert.html#wp1004981

A couple options you can do to prevent above situations in the future:

1. use a password.conf, e.g.

see

http://docs.sun.com/source/817-1831-10/agcert.html#wp1004127

"Using password.conf"

then you can see your own password such as

"internal:your_password" in password.conf file in the config subdirectory of the server instance.

2. use web server 7.0 which does not ask this internal token password when you request the SSL cert (generate a CSR) , and other later steps (e.g. install the SSL cert, start up the SSL server).

(Important : Jyri has helped to point out in the comments to this posting that

"

option #2 is only so because WS 7.0 allows you to have an empty password for the cert 

database if that's what you want. It's not that it can somehow bypass the password if

one is set. If you do set the password on WS 7.0 (which may or may not be important to

do, depending on the deployment scenario) and later forget it, you'll still have to start

all over again with new keys; certificates.

") 

e.g. No password asked when I requested the SSL cert.

7.0 photo

After I installed the SSL cert.,

no password asked when I start up the SSL web server instance,

apple:/export/home/iws7.0u3> https-apple.asia.sun.com/bin/startserv
Sun Java System Web Server 7.0U3 B06/16/2008 12:00
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://apple.asia.sun.com:7032 ready to accept requests
info: CORE3274: successful server startup

So, this is another good reason to upgrade to web 7.0







Comments:

You should mention that option #2 is only so because WS 7.0 allows you to have an empty password for the cert database if that's what you want. It's not that it can somehow bypass the password if one is set. If you do set the password on WS 7.0 (which may or may not be important to do, depending on the deployment scenario) and later forget it, you'll still have to start all over again with new keys & certificates.

Posted by Jyri on July 08, 2008 at 04:31 AM HKT #

Yes, thanks for the comments from Jyri. I added it into my blog above, so reader can be aware of this.

Posted by Walter on July 08, 2008 at 06:20 AM HKT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

to share tips and experience in Oracle products, e.g. SunONE / iPlanet Web server, Weblogic server, Web protocols, security and performance.

Search

Categories
Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today