A customer contacted IBM® Lotus® to report a potential security issue with the usage of Certificate Authority (CA) process commands on the Lotus Domino® server console.
The use of uppercase characters with either the CA "activate" or "unlock" commands on the server console could result in the password being displayed in clear text.
To use the Domino server-based CA process, you must issue several commands at the server console. Both the "activate" (tell ca activate <certifier number> <password>) and unlock (tell ca unlock <idfile> <password>) require that a password be used.
Prior to Domino version 6.5.4, the password could be shown in clear text to the console.log text file and Admin panel depending on the operating systems. For more details, refer to Technote # 1167487 "Security Issue with CA Process in Domino 6.x Console on Solaris".
In Domino 6.5.4 or later, it has been found that if any character in the words "ca", "activate", or "unlock" are typed in uppercase, the password will be reflected in clear text on the console.log and Admin panel.
This issue was reported to Quality Engineering as SPR# KHON738QB6, and has been fixed in Lotus Domino releases 7.0.3 and 8.0. Refer to the Upgrade Central site for details on upgrading Notes/Domino.
In prior releases, enter CA "activate" or "unlock" commands on the console using all lowercase.