Operations Basics / Version 2404
Table Of ContentsChange all standard passwords of built-in users immediately after installation. Use good passwords.
When providing a password to command line tools in automated procedures,
prefer the environment variable REPOSITORY_PASSWORD
to the
-p
command line argument.
If possible, retrieve the password immediately before calling the command line
tool from a secure password vault. Make sure that the environment variable
does not remain set for too long.
The users' passwords are stored by the Content Servers as salted hashes.
The hash algorithm can be configured using the server property
cap.server.login.passwordHashAlgorithm
, which should be set to
bcrypt:N
where N is the load factory of the bcrypt password hashing algorithm.
Higher values of N slow down the hashing performance and improve security.
Set N to at least 10 and choose higher values if the CPU performance allows it.
The passwords can be encrypted additionally by using the tool
cm encryptpasswords
as described in
Section 3.13.2.7, “Encryptpasswords” in Content Server Manual.
Some passwords stored in configuration files can be encrypted
using the tool encryptpasswordproperty
as described in
Section 3.13.1, “Information” in Content Server Manual.
This applies to:
database passwords used by Content Server, Workflow Server and Studio Server
passwords for connecting to Content Server and Workflow Server,
passphrases for the CORBA-over-SSL keystore.
Passwords for connecting to an LDAP server, to a MongoDB or to a Solr cannot be protected in the same manner.