Encrypting MMC User Passwords

Enterprise Edition

The Management Console stores user names and passwords in plain text, in the persistent information database in the mmc-data directory. To avoid storing user names and passwords in plain text, you can encrypt user names and passwords.

The instructions on this page detail how to run a provided Groovy script to encrypt existing user passwords, and update the database accordingly.

This method does not apply to LDAP authentication, but only to the default authentication configuration for the Management Console. If you wish to encrypt user passwords in an LDAP authentication configuration, see Encrypting the MMC LDAP Password.

Configuring the Management Console

This section details how to configure the Management Console to encrypt existing user passwords in its persistent database.

Before modifying the configuration files listed below, ensure that the Management Console is not running.

File applicationContext-spring-security.xml

Locate the file <MMC Home>/WEB-INF/classes/META-INF/applicationContext-spring-security.xml. In this file, find the bean passwordEncoder, and edit it as shown below.

<bean id="passwordEncoder" class=""/>
The above example uses the SHA password encoder; you may use another encoding if desired. Spring includes several options, such as the Md5PasswordEncoder.

File applicationContext-core.xml

Locate the file <MMC Home>/WEB-INF/classes/META-INF/applicationContext-core.xml. In this file, find the bean userManager, and edit is as shown below.

<bean id="userManager" class="" init-method="initialize">
    <property name="sessionFactory" ref="sessionFactory" />
    <property name="passwordEncoder" ref="passwordEncoder" />
    <property name="salt" value="" />

After modifying the configuration files, complete the following steps:

  1. Download and unpack the file When you unpack it, the file expands to a directory with two files, mmc-encrypter-1.0.jar and autorun.groovy.script.

  2. Copy the file mmc-encrypter-1.0.jar to <MMC_HOME>/WEB-INF/lib.

  3. Copy the script autorun.groovy.script to the directory you are running the Management Console from. For example, if using Tomcat, copy the script to <Tomcat home>/bin.

  4. Start the Management Console.

Starting the Management Console will run, then automatically remove, autorun.groovy.script.

The Groovy script migrates all plain-text user passwords to their encrypted values, and updates the database with these values.

To ensure the update completed successfully, search the logs for the following entry:

>>>>>>>>>>> Passwords updated successfully

The Groovy script should have been automatically removed after you started the Management Console. If the script has not been removed, remove it manually.