The onkstash Utility

Use the onkstash utility to create a password stash file for an existing PKCS#12 keystore.

A password stash file allows database clients or the database server itself access to their respective keystore without the inconvenience for the user to supply the password every time.

The onkstash utility accepts the file name of a PKCS#12 keystore (ending with extension ".p12") and the password for this keystore. It writes the password in an encrypted format to the password stash file. The name of this stash file is same as the keystore filename, but with the extension ".stl".

If the password for a keystore gets changed, the new password must be stashed again using the onkstash utility. If a password stash file exist with the old keystore password, then it is overwritten with the new password in an encrypted format.


onkstash <keystore file> <password>

where <keystore file> is the name of the PKCS#12 keystore file, and <password> is the current password for the keystore.


The onkstash utility determines the file name for the password stash file from the name of the keystore file. It checks if the given password is correct and then writes it in an encrypted format to the stash file.

If the password stash file gets created by onkstash, the file access permissions are set to 600. If the password stash file already exists, the permissions are not changed. It is recommended to check the permissions for the keystore file as well as for the password stash file, and correct them if deemed necessary.

In addition to stashing the keystore password, the onkstash utility can also provide the version of the encryption library used. Run the command "onkstash -version" to determine, whether GSKit or OpenSSL is used as encryption library and the version of that library.

Copyright© 2020 HCL Technologies Limited