Key file and stash file renewal information

Key file and stash file renewal information

Servers have associated key files and stash files. The following table describes the server key and stash files, including how they are created and refreshed.

Server Key and stash files How created How automatically updated How manually updated

SVA runtime package pd.kdb and pd.sth (does not contain a client-side certificate) runtime configuration pdadmin¹ utility bassslcfg utility with the -chgpwd

Policy server ivmgrd.kdb and ivmgrd.sth server configuration pdmgrd^1,2 mgrsslcfg with -chgpwd³ and -chgcert³

Proxy server pdmgrproxyd.kdb and pdmgrproxyd.sth server configuration pdmgrproxyd¹ svrsslcfg with -chgpwd⁹ and -chgcert⁵

Authorization server [instance-]ivacld.kdb and [instance-]ivacld.sth
Each authorization server on a computer generate a set of .kdb and .sth files server configuration pdacld¹ svrsslcfg with -chgpwd⁴ and -chgcert⁵

Resource manager Key and stash file names are resource manager-dependent. The file name is configurable.⁶ svrsslcfg with -config Run an instance of the resource manager¹ svrsslcfg utility with -chgpwd⁷ and -chgcert⁸

Notes

¹ We can turn off automatic certificate and password refresh by setting the ssl-auto-refresh stanza entry to no in the [ssl] stanza in the respective configuration file.
² Because the policy server also acts as the certificate authority (CA) for the secure domain, it must be recycled after a refresh. It continues to operate normally until it is recycled, but it cannot issue or renew certificates for other servers until it is recycled. The policy server log file contains a message that states when to restart the server.
³ Before running, stop the policy server.
⁴ Before running, stop the authorization server.
⁵ Before running, the policy server must be running. Stop the authorization server.
⁶ Java™ resource managers have an equivalent to key files, known as Java keystores, where the application personal certificate and the PDCA certificate are stored. Java resource managers do not have a stash file equivalent. The names of keystores are created by running the Java SvrSslCfg class with the -action config option.
⁷ Before running, the resource manager must be stopped.
⁸ Before running, the policy server must be running, and the resource manager must be stopped.
⁹ Before running, the proxy server must be stopped.

Parent topic: Certificate and password management

Server	Key and stash files	How created	How automatically updated	How manually updated
SVA runtime package	pd.kdb and pd.sth (does not contain a client-side certificate)	runtime configuration	pdadmin¹ utility	bassslcfg utility with the -chgpwd
Policy server	ivmgrd.kdb and ivmgrd.sth	server configuration	pdmgrd^1,2	mgrsslcfg with -chgpwd³ and -chgcert³
Proxy server	pdmgrproxyd.kdb and pdmgrproxyd.sth	server configuration	pdmgrproxyd¹	svrsslcfg with -chgpwd⁹ and -chgcert⁵
Authorization server	[instance-]ivacld.kdb and [instance-]ivacld.sth Each authorization server on a computer generate a set of .kdb and .sth files	server configuration	pdacld¹	svrsslcfg with -chgpwd⁴ and -chgcert⁵
Resource manager	Key and stash file names are resource manager-dependent. The file name is configurable.⁶	svrsslcfg with -config	Run an instance of the resource manager¹	svrsslcfg utility with -chgpwd⁷ and -chgcert⁸

¹	We can turn off automatic certificate and password refresh by setting the ssl-auto-refresh stanza entry to no in the [ssl] stanza in the respective configuration file.
²	Because the policy server also acts as the certificate authority (CA) for the secure domain, it must be recycled after a refresh. It continues to operate normally until it is recycled, but it cannot issue or renew certificates for other servers until it is recycled. The policy server log file contains a message that states when to restart the server.
³	Before running, stop the policy server.
⁴	Before running, stop the authorization server.
⁵	Before running, the policy server must be running. Stop the authorization server.
⁶	Java™ resource managers have an equivalent to key files, known as Java keystores, where the application personal certificate and the PDCA certificate are stored. Java resource managers do not have a stash file equivalent. The names of keystores are created by running the Java SvrSslCfg class with the -action config option.
⁷	Before running, the resource manager must be stopped.
⁸	Before running, the policy server must be running, and the resource manager must be stopped.
⁹	Before running, the proxy server must be stopped.