Skip to content


The passwords and passphrases (such as LDAP server passwords) used by the Management and Security Server are stored in an encrypted keychain. The keychain file is located in MSSData/keychain.bcfks.

At server startup, the keychain file is unlocked for use by the Management and Security Server.

If you wish to change the default keychain settings, be sure to read the CAUTIONS before you proceed.

  • Check Use a keychain password file to allow unattended server startup

    Checked by default, this setting enables unattended startup of the Management and Security Server. The keychain password is written to the keychain password file, MSSData/keychain.pwd.

    On subsequent server startup or restart, the keychain password is read from the keychain password file, and the keychain is unlocked without needing additional action by the administrator.


    The system administrator MUST restrict the file system permissions for the keychain.bcfks and keychain.pwd files to only Read/Write access by root and the process that runs the Management and Security Server. All other access to these files must be denied.


    When this option is not checked, the keychain must be manually unlocked. The system administrator must run the Keychain Utility application, available from the Start menu, and enter the keychain password. (The Keychain Utility is installed with Management and Security Server.)

  • Keychain port for submitting the unlock password

    This setting defines the port number that the keychain service listens on. To change the default port (12797), enter a local port number from 1 to 65535. Or, enter 0 to allow a random port assignment.

    When the keychain must be manually unlocked, this port is accessed by the Keychain Utility.

  • To change the keychain password:

    1. Enter the Existing password for unlocking the keychain file. The default password is changeit.

    2. Enter and Confirm your new keychain password. The keychain password is case-sensitive.


When using Clustering, the keychain is replicated, but the keychain password is not replicated.

Each server in a cluster has its own password to encrypt/decrypt the keychain. Changing the keychain password on the MASTER server will not change the password on the other nodes in the cluster. As a result, the system administrator will need to keep track of each server’s password.

If the administrator chooses to run in attended mode, where the Keychain Utility is used to specify the keychain password for the server during startup, the administrator will need to enter the unique password for each server on the cluster.