Encrypted Password Database Help Page
Encrypted Password Database Command Line Tool
The encrypted password database command line tool is used to check database stats, add authorized used in batch mode, and for retrieving encrypted information. The command line tool can be to automate the distribution of usernames and passwords to scripts and embedded applications. Scripts and embedded applications that are currently accessing passwords in plain text files can use the encrypted password database command line tool to get password from and encrypted database file. This eliminates storing authentication information in text files or scripts and gives you a centrally managed password database making application password changes much easier to manage.To run the encrypted password database command line tool from the default installation location:
> ${HOME}/.encrypted_password_database/bin/epdb_auth_tool --helpThis will display the following help menu:
DB authentication methods: --key=aes_key (Use a key file for symmetric file decryption) --password (Use a password for symmetric file decryption) --rsa-key (Use a private RSA key file for decryption) --rsa-key-passphrase (Passphrase for private RSA key) --rsa-key-username=name (Username that owns the private RSA key, defaults to current user) --smartcard (Use a smart card for decryption) --smartcard-pin=pin (Supply smart card PIN on the command line for scripting, use with caution) --smartcard-username=name (Username assigned to the smart card cert, defaults to current user) Smart card settings: --smartcard-cert-id=01 (Set the ID number for the smartcard cert) --smartcard-engine=/usr/lib64/engines-1.1/pkcs11.so (Set the smartcard engine path) --smartcard-provider=/usr/lib64/opensc-pkcs11.so (Set the smartcard provider) DB add user functions: --add-rsa-key (Add access to database for another users public RSA key) --add-smartcard-cert (Add access to database for another users smart card) --add-username (Username being added for public RSA key file or exported smart card cert file) DB no-auth stat functions: --db-stats (Display database stats and exit) --list-users (List the users with RSA key of Smart Card cert access and exit) DB authenticated functions: --db-config (Display database config and exit) --db-list (List database stdout, defaults to tab delimited output) --db-find-key=name (Search the database for a key name and list output to stdout) --db-find-all-key=name (Search for all matching key names and list output to stdout) --delimiter="," (Set the list delimiter to comma or other value) --filter-char (Set a character to filter from list output) --replace-char (Set a character to replace in list output) --replace-char-with (Set the replacement character to replace in list output)
BASH Script Example for Password Automation
For this example we will assume the system administrator used the Encrypted Password Database GUI to create a database named admin_passowrds and has added the Title, Username, and Password for the application account used in this example. The location of the encrypted database file for this example is on a NFS mounted home directory that all the application servers have access to and are mounted to the NFS home directory. For example:/home/admins/.encrypted_password_database/docs
Where /home/admins is our NFS mounted home directory on all the application servers. And the database file is:
/home/admins/.encrypted_password_database/docs/admin_passwords.ehd
All system admins are in the designated system admin group and the system admin group has read/write permissions to the encrypted database files.
From the Encrypted Password Database GUI or EPDB command line tool each system administrator will access the database using their smart card or RSA key. If a master password or master symmetric encryption key was used to create the database the password or key method can be used for access.
On the application server as root a system administrator will need to create application keys used to give the application access to the admin_passwords database. In this example we will be setting up application keys that allow admin scripts to get an application password needed for authentication. On the server run the following commands to generate the RSA keys:
> sudo -i # mkdir -pv /etc/pki/epdb/private /etc/pki/epdb/pub # chmod 700 /etc/pki/epdb/private # openssl genrsa -out /etc/pki/epdb/private/idm_private_key.pem 2048 # chmod 400 /etc/pki/epdb/private/idm_private_key.pem # openssl rsa -in /etc/pki/epdb/private/idm_private_key.pem -outform PEM -pubout -out /etc/pki/epdb/pub/idm_public_key.pemAfter creating the RSA keys on the application server copy the public key to shared admins home directory:
> mkdir -pv /home/admins/.encrypted_password_database/keys > cp /etc/pki/epdb/pub/idm_public_key.pem /home/admins/.encrypted_password_database/.Using the Encrypted Password Database GUI or EPDB command line tool the system administrator will need to open the admin_password database and add the public application key as an authorized user. For this example let’s assume a master password was used to create the admin_passwords database. Using the EPDB command line tool the system administrator that has the master password can add the application key using the following command:
> EPDB_AUTH_TOOL=/home/admins/.encrypted_password_database/bin/epdb_auth_tool > PASSWORD_DATABASE=/home/admins/.encrypted_password_database/docs/admin_passwords.ehd > ${EPDB_AUTH_TOOL} --password --add-rsa-key=/home/admins/.encrypted_password_database/idm_public_key.pem --add-username=idm_admin ${PASSWORD_DATABASE}After adding the application key the scripts on the application server can be modified to get the application password from the encrypted database file. On the application server use the following BASH script example to get a password needed for authentication:
> sudo -i # cd /root/idm_admin_scripts # vi get_users.shNOTE: In the above example we are assuming a get_user.sh script is an existing script requiring authentication to perform a task. In the script add:
export EPDB_AUTH_TOOL=/home/admins/.encrypted_password_database/bin/epdb_auth_tool export PASSWORD_DATABASE=/home/admins/.encrypted_password_database/docs/admin_passwords.ehd idm_pw=$(${EPDB_AUTH_TOOL} --rsa-key=/etc/pki/epdb/private/idm_private_key.pem --rsa-key-username=idm_admin --db-find-key="IDM Admin" ${PASSWORD_DATABASE} | awk -F'\t' '{ print $3 }') # use the password and clear the variable echo "${idm_pw}" | kinit admin idm_pw="000000000000000000000000000000" ...In the above example a private RSA key in a secure location is used to access the encrypted database and search for the title "IDM Admin" where the password is in the third column. The BASH script gets the password, authenticates, and clears the variable used to store the password after all authentication routines have been completed.
Return to Help Pages Contents