Keystore File Password Security
The keystore password is sensitive information, and keeping it secure is critical to the security of your realm server. You can supply a keystore password in any of four ways, which vary in the level of protection they provide for the password.
Password Scope
The keystore password encrypts key files. For maximum security, use a different password for each primary, satellite, and backup realm server.
Password Argument
When you supply a keystore password as a realm server command line argument, that argument is visible to casual observers. For example, command line arguments appear in the output of the UNIX ps command.
| Form | Description |
|---|---|
| stdin | This form can provide maximum security: after entering the password, it is no longer visible to anyone.
You can pipe the password to the realm server executable through
stdin. For example, in UNIX environments, you could use this command line:
echo my_password | tibrealmserver ... --secure stdin You could use an encrypted password management application to supply the password to stdin. In this scenario, the password is not visible during any task step. |
| file:file_path | This form can provide excellent security: only the file path is visible to observers.
You must create a text file that contains only the password itself, store that file on the file system of the realm server's host computer, and ensure the security of that file. |
| env:environment_var | This form can provide excellent security.
You must set an environment variable in the shell where you run the realm server. The value of that variable is the password string. You must ensure that only authorized personnel have access to that shell. |
| pass:password |
Each of these forms is also available if you supply the argument in a configuration file property. If the configuration file is secure, then even the pass:password form is equivalent to the file:password form.