Nav
You are viewing an older version of this section. Click here to navigate to the latest version.

Encrypting the MMC Tracking Database Password

Enterprise Edition

The Management Console can store Business Events information in a local or remote database. By default, the credentials of this database are stored unencrypted in local configuration files. To avoid storing these credentials in plain text, you can encrypt them using the Jasypt encryption library.

Implementing this configuration entails the following tasks:

You encrypt the password using Jasypt, and provide the encrypted value and other parameters to the Management Console. On user authentication, the Management Console will use Jasypt to decrypt the user password.

The configuration described in this page stores decryption parameters in Management Console configuration files. An attacker with access to these files could decrypt the user password using these parameters. To avoid this security risk, you can integrate Jasypt with Spring 3.0 and store decryption parameters as environment variables. For details, see integrating Jasypt with Spring 3.0.

Downloading And Installing the Encryption Library

Jasypt is an easy-to-use Java library that provides basic encryption capabilities. It is free software, licensed under the Apache Software License.

To install Jasypt in the Management Console, complete the following steps:

  1. Download the latest version (currently 1.9.0) from Jasypt’s download page. Jasypt downloads as a .zip file called jasypt-1.9.0-dist.zip.

  2. Unzip the file jasypt-1.9.0-dist.zip, which expands to the directory jasypt-1.9.0.

  3. Copy the files  jasypt-1.9.0.jar and jasypt-spring3-1.9.0.jar to the directory <MMC installation path>/WEB-INF/lib. You will find these files in the jasypt-1.9.0/lib directory.

Encrypting the Password

To encrypt a password, run the script encrypt.sh (or encrypt.bat if on a Windows system). You can find the script in the bin subdirectory of the jasypt-1.9.0 directory.


         
      
1
<path to file>/encrypt.sh input="valueToEncrypt" password=MYPASS algorithm=PBEWithMD5AndDES
Script parameter Description

input

The value to encrypt. This is the actual password you wish to encrypt.

password

The string used for encrypting input. This is not the password, but the phrase used to encrypt the password. The password itself is provided in the input parameter.

algorithm

The algorithm to use for encryption.

The script shows the encrypted password on standard output, as shown in the example below.


         
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
pedro@xubuntu: /home/pedro/jasypt-1.9.0/bin/encrypt.sh input="valueToEncrypt" password=MYPASS algorithm=PBEWithMD5AndDES
 
----ENVIRONMENT-----------------
 
Runtime: Sun Microsystems Inc. OpenJDK 64-Bit Server VM 20.0-b12
 
----ARGUMENTS-------------------
 
algorithm: PBEWithMD5AndDES
input: valueToEncrypt
password: MYPASS
 
----OUTPUT----------------------
 
NdPn1skzduJFjGaIOY53pMALTgped0zX
 
pedro@xubuntu:bin$

Note that if on a Unix or Unix-based system, you need to set execute permissions for encrypt.sh to be able to run it.

How to apply execute permissions on Unix systems

To set execute permissions for the encrypt.sh script, run the following command:

For example:

This command adds execute permission for all users (file owner, file owner’s group, and other users).

Copy the encrypted output and store it in a convenient location, such as a text file of your choosing. You will need to copy this value to the tracker.properties file, as detailed in the File tracking.properties section.

For more information about encrypt.sh, including other usage samples, see Jasypt’s CLI Tools page.

Configuring the Management Console

File tracking.properties

Create a file called tracking.properties, and place it in <MMC Home>/WEB-INF/classes/META-INF. Add to it the line shown below, replacing <encoded_value> for the encrypted value displayed by the encrypt.sh script.


          
       
1
tracking.password=ENC(<encoded_value>)

Using the value obtained the example Encrypting the Password, the tracking.properties would look like the following line.


          
       
1
tracking.password=ENC(NdPn1skzduJFjGaIOY53pMALTgped0zX)

File applicationContext.tracking.xml

Locate the file <MMC Home>/WEB-INF/classes/META-INF/applicationContext-tracking.xml, then complete the following steps:

  1. In the file, locate the bean called dataSource, then modified password value as shown below.

    
                 
              
    1
    
    <property name="password" value="${tracking.password}" />

    The value of {$tracking.password} will be read from the tracking.properties files.

  2. Add the beans listed below to the file contents.


          
       
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<bean id="propertyConfigurer" class="org.jasypt.spring3.properties.EncryptablePropertyPlaceholderConfigurer">
        <constructor-arg ref="configurationEncryptor" />
        <property name="locations">
          <list>
              <value>classpath:META-INF/tracker.properties</value>
          </list>
       </property> 
       <property name="ignoreUnresolvablePlaceholders" value="true"/>
    </bean>
 
     <bean id="encryptorConfig" class="org.jasypt.encryption.pbe.config.SimplePBEConfig">
         <property name="algorithm" value="PBEWithMD5AndDES" />
         <property name="password" value="MYPASS" />
     </bean>
 
      <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
        <property name="config" ref="encryptorConfig" />
     </bean>

After completing the preceding steps, restart the Management Console for the changes to take effect.

To avoid storing the passphrase on the Management Console configuration files, you can integrate Jasypt with Spring 3.0 and store decryption parameters as environment variables. For details, see integrating Jasypt with Spring 3.0.

For details on configuring the Management Console to use LDAP for user authentication, see Setting Up and Managing Users via LDAP.

If you wish to encrypt user passwords, but do not use LDAP for user authentication, see Encrypting MMC User Passwords.