15.2 Securing User Credentials

You can take precautions to ensure that authentication credentials (usernames and passwords) are securely stored and retrieved when using the migration tool.

15.2.1 How User Credentials Are Stored During a Migration

By default, neither the migration GUI utilities (File System Migration Utility) nor the command line tools (mls, migfiles, etc.) store the usernames and passwords entered by the user running the migration.

Migration GUI Utilities

The migration GUI utilities do not use OES Credential Store (OCS), nor do they store user credentials in any file format. Rather, the utilities accept the user credentials entered for the source server and target server and, after validating them (via secure or non-secure LDAP authentication), the utilities store this information in a proprietary cache. These credentials are used by the applications to execute various migration-related operations. For example:

  • To retrieve NetWare source volumes, the File System Migration Utility issues an nwmap command.

  • To carry out migrations, the GUI utilities execute the required migration commands (mls, migfiles, maprights, maptrustees, etc.).

The migration utility cache is flushed when the applications are closed.

In a saved migration project, only the IP addresses of the source and target servers, the volume names, and any other migration options, are stored in the .xml configuration file. When you open and rerun a saved project, you are prompted to reenter the credentials.

15.2.2 How Credentials Are Passed from the Migration GUI Utilities to the Migration Commands

The GUI utilities execute migration commands within their process context and pass the user credentials whenever required or prompted through their process APIs, which can be hidden from the user. The GUI applications neither set the credentials in environment variables nor use the OES Credential Store (OCS), even though the migration commands provide the option.

To pass credentials to the migration commands, the GUI utilities open a terminal connected to the standard input and feed in the password to the command line prompt.

15.2.3 Managing Credential Storage with migcred

As mentioned previously, administrators can choose to store user credentials in OCS so that they are not prompted for usernames and passwords every time they perform a migration task.

You can use the migcred command to control and manage what is stored in OCS. This command provides options to store and view information for a particular identity. With the necessary user credentials stored in OCS, usernames and passwords can be retrieved as needed by other migration commands.