close

Filter

loading table of contents...

Operations Basics / Version 2010

Table Of Contents

4.8.3 Passwords

Change all standard passwords of built-in users immediately after installation. Use good passwords.

When providing a password to command line tools in automated procedures, prefer the environment variable REPOSITORY_PASSWORD to the -p command line argument. If possible, retrieve the password immediately before calling the command line tool from a secure password vault. Make sure that the environment variable does not remain set for too long.

The users' passwords are stored by the Content Servers as salted hashes. The hash algorithm can be configured using the server property cap.server.login.passwordHashAlgorithm, which should be set to bcrypt:N where N is the load factory of the bcrypt password hashing algorithm. Higher values of N slow down the hashing performance and improve security. Set N to at least 10 and choose higher values if the CPU performance allows it.

The passwords can be encrypted additionally by using the tool cm encryptpasswords as described in Section 3.13.2.7, “Encryptpasswords in Content Server Manual.

Some passwords stored in configuration files can be encrypted using the tool encryptpasswordproperty as described in Section 3.13.1, “Information” in Content Server Manual. This applies to:

  • database passwords used by Content Server, Workflow Server and Studio Server

  • passwords for connecting to Content Server and Workflow Server,

  • passphrases for the CORBA-over-SSL keystore.

Passwords for connecting to an LDAP server, to a MongoDB or to a Solr cannot be protected in the same manner.

Search Results

Table Of Contents