User Guide
Chapter 8 Managing system users and groups 363
Nortel Secure Network Access Switch 4050 User Guide
7 Apply the changes.
8 Let the Certificate Administrator user define an export passphrase.
This step is only necessary if you want to fully separate the Certificate
Administrator user role from the Administrator user role. If the admin user is
removed from the certadmin group (as in <z_blue>Step 9), a Certificate
Administrator export passphrase (caphrase) must be defined.
As long as the admin user is a member of the certadmin group (the default
configuration), the admin user is prompted for an export passphrase each time
a configuration backup that contains private keys is sent to a
TFTP/FTP/SCP/SFTP server (command:
/cfg/ptcfg). When the admin
user is not a member of the certadmin group, the export passphrase defined by
the Certificate Administrator is used instead to encrypt private keys in the
configuration backup. The encryption of private keys using the export
passphrase defined by the Certificate Administrator is performed
transparently to the user, without prompting. When the configuration backup
is restored, the Certificate Administrator must enter the correct export
passphrase.
The export passphrase defined by the Certificate Administrator remains the
same until changed by using the
/cfg/sys/user/caphrase command. For
users who are not members of the certadmin group, the
caphrase command
in the User menu is hidden. Only users who are members of the certadmin
group should know the export passphrase. The export passphrase can contain
spaces and is case sensitive.
>> User cert_admin# apply
Changes applied successfully.
Note: If the export passphrase defined by the Certificate Administrator
is lost, configuration backups made by the admin user while he or she
was not a member of the certadmin group cannot be restored.
>> User cert_admin# ../caphrase
Enter new passphrase:
Re-enter to confirm:
Passphrase changed.