Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Recover your Domino SSL Keystore password

Thomas Hampel
 27 February 2013

In a situation where an you need to verify the contents of a Domino SSL Key ring file (*.kyr) its very useful to know the password to that key ring.
Unfortunately thats not always the case, e.g. when inheriting a server for which no documentation exists, or in simple terms when you forgot the password.

In order to recover the password in clear text, just enable the debug parameter SSL_TRACE_KEYFILEREAD=1 in the Notes.ini
To avoid any impact to production, you might want to do this in an isolated environment like a fresh installed Domino server or a test server you already have.

So this is what you have to do:
  1. Install a new isolated Domino server (or use a test server of your choice)
  2. Copy the *.kyr + *.sth file from the production server to the new server
  3. Configure the HTTP task to make use of this key ring file, by updating the server document/internet ports, or by updating the internet site / security configuration.
  4. Enable the Notes.ini parameter by typing this command at the server's console
    set config SSL_TRACE_KEYFILEREAD=1
  5. Restart the HTTP task
    tell http restart
  6. Watch the console to obtain the password in plain text:

ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for trusted roots
ReadKeyfile> Found trusted roots
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for cert chain
ReadKeyfile> Got cert chain
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for private key
ReadKeyfile> Decoding keys
ReadKeyfile> Keys decoded
ReadKeyfile> Exit status = 0
HTTP Server: Using Internet Site Configuration View

Now you can use the Domino Server Certificate Authority application to take a closer look into the *.kyr file.
Comments [2]
Tagged with: Domino Security
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.