Nav
You are viewing an older version of this section. Click here to navigate to the latest version.

Encrypting the MMC LDAP Password

Enterprise Edition

By default, the Management Console, when configured to use LDAP for user authentication, stores unencrypted LDAP credentials in plain text configuration files. To avoid this security risk, you can configure the Management Console to store encrypted LDAP passwords, and to decrypt them using the Jasypt encryption library.

Implementing this configuration entails the following tasks:

You encrypt the password using Jasypt, and provide the encrypted value and other parameters to the Management Console. On user authentication, the Management Console will use Jasypt to decrypt the user password.

If you wish to encrypt user passwords, but do not use LDAP for user authentication, see Encrypting MMC User Passwords.
The configuration described in this page stores decryption parameters in Management Console configuration files. An attacker with access to these files could decrypt the user password using these parameters. To avoid this security risk, you can integrate Jasypt with Spring 3.0 and store decryption parameters as environment variables. For details, see integrating Jasypt with Spring 3.0.

Downloading And Installing the Encryption Library

Jasypt is an easy-to-use Java library that provides basic encryption capabilities. It is free software, licensed under the Apache Software License.

To install Jasypt in the Management Console, complete the following steps:

  1. Download the latest version (currently 1.9.0) from Jasypt’s download page. Jasypt downloads as a .zip file called jasypt-1.9.0-dist.zip.

  2. Unzip the file jasypt-1.9.0-dist.zip, which expands to the directory jasypt-1.9.0.

  3. Copy the files  jasypt-1.9.0.jar and jasypt-spring3-1.9.0.jar to the directory <MMC installation path>/WEB-INF/lib. You will find these files in the jasypt-1.9.0/lib directory.

Encrypting the Password

To encrypt a password, run the script encrypt.sh (or encrypt.bat if on a Windows system). You can find the script in the bin subdirectory of the jasypt-1.9.0 directory.


         
      
1
<path to file>/encrypt.sh input="valueToEncrypt" password=MYPASS algorithm=PBEWithMD5AndDES
Script parameter Description

input

The value to encrypt. This is the actual LDAP password you wish to encrypt.

password

The string used for encrypting input. This is not the LDAP password, but the phrase used to encrypt the password. The password itself is provided in the input parameter.

algorithm

The algorithm to use for encryption.

The script shows the encrypted password on standard output, as shown in the example below.


         
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
pedro@xubuntu: /home/pedro/jasypt-1.9.0/bin/encrypt.sh input="valueToEncrypt" password=MYPASS algorithm=PBEWithMD5AndDES
 
----ENVIRONMENT-----------------
 
Runtime: Sun Microsystems Inc. OpenJDK 64-Bit Server VM 20.0-b12
 
----ARGUMENTS-------------------
 
algorithm: PBEWithMD5AndDES
input: valueToEncrypt
password: MYPASS
 
----OUTPUT----------------------
 
NdPn1skzduJFjGaIOY53pMALTgped0zX
 
pedro@xubuntu:bin$

Note that if on a Unix or Unix-based system, you need to set execute permissions for encrypt.sh to be able to run it.

How to apply execute permissions on Unix systems

To set execute permissions for the encrypt.sh script, run the following command:


              
           
1
chmod a+x <path to file>encrypt.sh

For example:


              
           
1
chmod a+x /home/mary/jasypt-1.9.0/bin/encrypt.sh

This command adds execute permission for all users (file owner, file owner’s group, and other users).

Copy the encrypted output and store it in a convenient location, such as a text file of your choosing. You will need to copy this value to the mmc-ldap.properties file, as detailed in the File mmc-ldap.properties section.

For more information about encrypt.sh, including other usage samples, see Jasypt’s CLI Tools page.

Configuring the Management Console

File applicationContext.ldap.xml

Locate the file <MMC Home>/WEB-INF/classes/META-INF/applicationContext.ldap.xml, then add to it the bean listed below. Note that this bean must be the first bean in the file.


          
       
1
2
3
4
5
6
7
8
9
<bean id="propertyConfigurer" class="org.jasypt.spring3.properties.EncryptablePropertyPlaceholderConfigurer">
    <constructor-arg ref="configurationEncryptor" />
    <property name="locations">
      <list>
          <value>/WEB-INF/classes/mmc-ldap.properties</value>
      </list>
   </property> 
   <property name="ignoreUnresolvablePlaceholders" value="true"/>
</bean>

File ldap.xml

Locate the file <MMC Home>/WEB-INF/classes/META-INF/ldap.xml, then add to it the beans listed below. Note that the value for property password must be the same you gave to the encrypt.sh script as the password parameter. In the example provided in the Encrypting the Password section, the value is MYPASS.


          
       
1
2
3
4
5
6
7
<bean id="encryptorConfig" class="org.jasypt.encryption.pbe.config.SimplePBEConfig">
    <property name="algorithm" value="PBEWithMD5AndDES" />
    <property name="password" value="MYPASS" />
 </bean>
  <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
    <property name="config" ref="encryptorConfig" />
</bean>

File mmc-ldap.properties

Locate the file <MMC Home>/apps/mmc/webapps/mmc/WEB-INF/classes/mmc-ldap.properties. Edit this file to include the output of the encrypt.sh script as the value of the password parameter, as shown below.


          
       
1
password=ENC(NdPn1skzduJFjGaIOY53pMALTgped0zX)

Note that the encrypted value is surrounded by ENC(). This indicates that the value is encrypted, and must be processed by the Jasypt library while Spring constructs the bean.

The mmc-ldap.properties file will be similar to the code shown below.


          
       
1
2
3
4
5
6
7
8
9
10
11
providerURL=ldaps://192.168.1.14:636/
userDn=cn=sb,ou=people,dc=example,dc=com
password=ENC(NdPn1skzduJFjGaIOY53pMALTgped0zX)
usernameAttribute=cn
userSearchBaseContext=ou=people,dc=example,dc=com
userSearchFilterExpression=(cn={0})
userSearchBase=ou=people,dc=example,dc=com
userSearchAttributeKey=objectclass 
userSearchAttributeValue=person
roleDn=ou=groups,dc=example,dc=com
groupSearchFilter=(uniqueMember={0})

After completing the preceding steps, restart the Management Console for the changes to take effect.

To avoid storing the passphrase on the Management Console configuration files, you can integrate Jasypt with Spring 3.0 and store decryption parameters as environment variables. For details, see integrating Jasypt with Spring 3.0.

For details on configuring the Management Console to use LDAP for user authentication, see Setting Up and Managing Users via LDAP.

If you wish to encrypt user passwords, but do not use LDAP for user authentication, see Encrypting MMC User Passwords.