If your service keys are encrypted with the master key, the master key’s password must be entered into Adaptive Server, either automatically or manually, depending on how you specify the master key.
If you do not use automatic master key access, you typically enter the master key’s password with set encryption passwd. However, if a service key is required to decrypt the private key password for network listeners during startup, you can supply the master key at the command line, or through a command line prompt.
Use the dataserver . . . -- master_key_password parameter to prompt for a master key password during Adaptive Server startup. The user issuing the --master_key_passwd parameter must know the master key password for the master database and have physical access to the console and keyboard to enter the password.
If you do not include a password, -- master_key_password prompts for password at the command line. For example:
dataserver --master_key_passwd -dd_master -eerrorlog
master_key_passwd:_
The password characters do not appear, and the password is not validated until later in the Adaptive Server start-up sequence.
If you include the password with the --master_key_passwd parameter:
dataserver --master_key_passwd=mysecret -dd_master -eerrorlog
The password, mysecret
,
is blanked out in memory after it is read and used. However, the
clear password is visible until the memory is blanked out.
If you enter the incorrect password, attempts to use service keys fail, and Adaptive Server services that require the service keys remain unavailable. After the server has started, an authorized user can connect and set the master key password in the master database with:
use master go set encryption passwd password for key master go
If you have configured only SSL listeners and you enter the wrong password, Adaptive Server shuts down because it cannot start any listeners.
Sybase recommends that you do not use passwords at the command line because the passwords are visible:
In memory that can be seen with the UNIX ps command,
In memory, on an unattended terminal screen, or on disk in command history buffers and files
On the screen
Sybase encourages customer sites to prompt for passwords to avoid these vulnerabilities when using attended startup.