Encrypting MMC User Passwords
The Management Console stores user names and passwords in plain text, in the persistent information database in the
mmc-data directory. To avoid storing user names and passwords in plain text, you can encrypt user names and passwords.
The instructions on this page detail how to run a provided Groovy script to encrypt existing user passwords, and update the database accordingly.
|This method does not apply to LDAP authentication, but only to the default authentication configuration for the Management Console. If you wish to encrypt user passwords in an LDAP authentication configuration, see Encrypting the MMC LDAP Password.|
This section details how to configure the Management Console to encrypt existing user passwords in its persistent database.
|Before modifying the configuration files listed below, ensure that the Management Console is not running.|
Locate the file
<MMC Home>/WEB-INF/classes/META-INF/applicationContext-spring-security.xml. In this file, find the bean
passwordEncoder, and edit it as shown below.
1 <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
|The above example uses the SHA password encoder; you may use another encoding if desired. Spring includes several options, such as the Md5PasswordEncoder.|
Locate the file
<MMC Home>/WEB-INF/classes/META-INF/applicationContext-core.xml. In this file, find the bean
userManager, and edit is as shown below.
1 2 3 4 5 <bean id="userManager" class="com.mule.support.EncryptedUserManagerImpl" init-method="initialize"> <property name="sessionFactory" ref="sessionFactory" /> <property name="passwordEncoder" ref="passwordEncoder" /> <property name="salt" value="" /> </bean>
After modifying the configuration files, complete the following steps:
Download and unpack the MMC password encryption tools. When you unpack it, the file expands to a directory with two files,
Copy the file
Copy the script
autorun.groovy.scriptto the directory you are running the Management Console from. For example, if using Tomcat, copy the script to
Start the Management Console.
| Starting the Management Console will run, then automatically remove,
The Groovy script migrates all plain-text user passwords to their encrypted values, and updates the database with these values.
To ensure the update completed successfully, search the logs for the following entry:
>>>>>>>>>>> Passwords updated successfully
The Groovy script should have been automatically removed after you started the Management Console. If the script has not been removed, remove it manually.