API Gateway 10.11 | Administering API Gateway | Security Configuration | Master Password Management | Advanced Configuration to Manage Master Password
 
Advanced Configuration to Manage Master Password
The configPassman.cnf file contains additional configuration settings for password encryption. The file consists of a number of properties, some of which are commented out in the default configuration.
Note:
The configPassman.cnf file has a companion file, passman.cnf. If you make changes to configPassman.cnf file, API Gateway automatically updates passman.cnf to reflect these changes when you initialize API Gateway. Never update passman.cnf directly.
As shipped, the configPassman.cnf file specifies that passwords are stored in the config/txnPassStore.dat file and encrypted using Password-Based Encryption (PBE). In addition, it specifies that the master password is stored in the config/empw.dat file. Properties that can be used to specify other settings are commented out.
If you want to change these optional settings, you must edit the configPassman.cnf file. The file must always specify the following:
*Encryption method for passwords.
*Location of the file that contains the passwords.
*Method API Gateway uses to obtain the master password.
The following sections describe the configPassman.cnf file in detail and how to change password and master password settings.
Working with Password Settings
This section describes how to use the configPassman.cnf file to change settings for passwords.
Controlling Name and Location of Password File
The default file name and location for the password file is in the server instance’s home directory under config/txnPassStore.dat. To change it, locate and modify the following property:
outbound.password.field.fileName=config/txnPassStore.dat
This property must always be present and uncommented. If you want to change the file name or location, change the right hand side only. You can specify an absolute or relative path. In the path name, use the forward slash (/) only; the backward slash (\) is not supported.
Controlling Encryption of Outbound Password File
The default encryption method for the password file is Password-Based Encryption (PBE). To change it, locate the following properties and uncomment a different method. One and only one of these properties must always be uncommented.
Property
Description
Security
default.encryptor=EntrustPbePlus
This denotes PBE encryption.
Most secure
#default.encryptor=Base64
This denotes Base64 encoding.
Not secure
#default.encryptor=None
This denotes Clear text.
Not secure
Working with Master Password Settings
By default, the master password is stored in the file config/empw.dat under the server instance’s home directory, but if you prefer, you can configure API Gateway to prompt for the master password at server initialization. The following sections describe how to tell API Gateway which method to use.
Storing the Master Password in a File
To store the master password in a file, use the following properties:
Property
Description
master.password.storeInFile=true
This controls whether API Gateway stores the masterpassword in a file (true) or prompts for it at server initialization (false). If this value is set to true, make sure the master.password.field.attemptsLimit properties are commented out.
master.password.field.fileName=config/empw.dat
This indicates the location of the master password store. Use the forward slash (/) only; the backward slash (\) is not supported.
master.password.field.repeatLimit=3
This indicates the number of password changes required before you can reuse a password.
Prompting for the Master Password at Server Initialization
To prompt for the master password at server initialization, use the following properties. Use these properties only if you want API Gateway to prompt for the password at server initialization (that is, you specify false for master.password.storeInFile). If you do not want API Gateway to prompt for the password at server initialization, make sure these two properties are commented out.
Property
Description
#master.password.field.useGUI=true
Specify true to prompt for the password in a pop-up window. If you select this method, you can start the server from the Windows start menu. This is default if master.password,storeInFile is set to false.
#master.password.field.attemptsLimit=3
This indicates the number of unsuccessful login attempts permitted before API Gateway rejects the request.
You cannot configure API Gateway to prompt for the master password at server initialization if:
*API Gateway runs as a Windows service.
*API Gateway runs as a background application on UNIX.