Customers
User information
 Loading ...
Show article in Knowledge Base

 Encrypting passwords in property files on server Export knowledge base Export     SubscribeSubscribe      Show article info

By default all usernames and passwords in properties files are stored in clear text. This is normally OK since the VisionProject servers are located between one or several firewalls or DMZ in your network, and only a few people have access 

 

However it is also a good practice to encrypt passwords in files so they are not stored in clear text.

 

To do this please follow the instructions below. This means that all passwords are encrypted with a PGP key. You then need to specify a run-time password during each server-startup.

1. Prepare public and private keys

1.1) Create a PGP certificate, i.e. a public and private key pair.

 

We recommend that you use http://www.gpg4win.org, it is a good tool that is easy to use

 

Detailed step by step instructions for creating an encryption key are available on the link below 

http://www.gpg4win.org/doc/en/gpg4win-compendium_12.html

 

Follow the instructions in 7.0 and 7.1

 

You will need to use a secret password that you store somewhere safe. Also it is recommended that you backup your certificate somwhere safe. 

 

1.2) Export the public key

 

Export the public key from your certificate. 

 

  • In the GPG4Win Kleopatra software, select your certificate in the "My certificates" table
  • Click File -> Export certificates
  • Save it on the disk as *.asc file

 

1.4) Export the private key from your certificate and store it in a file.

 

 

Export the public key from your certificate. 

 

  • In the GPG4Win Kleopatra software, select your certificate in the "My certificates" table
  • Click File -> Export secret keys
  • Remember to select the checkbox ASCI armor
  • Save it on the disk as *.asc file

 

2. Configure VisionFlow

2.1) Make backups of the files below:

 

Make a backup of the files below. 

 

TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/jobs_installed.xml
TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/spar.properties
TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/visionplatform_mail.properties
TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/visionproject.properties
TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/visionproject_database.properties

 

This is good the first time, if something goes wrong, then you can easily restore the files. After this, when system has started, you can remove the backup

 

2.2) Open visionproject.properties, change the encryption properties

 

These are found at the end of the properties file specified in the section below:


###############################################
######## Encrypt passwords settings ###########
###############################################
# Set true if all passwords in .property and .xml files should be encrypted.
encryptPasswords=true
# Note: never change the setting below manually! Otherwise decryption can stop working and the system will not start
passwordsEncrypted=true
# Path to the public key file
encPublicKeyPath=c:\\dev\\A987AC7B5A40A0C423B59005DC079CBC76EC2A69.asc
# Path to the private key file
encPrivateKeyPath=c:\\dev\\privkey.asc
# Password for the private key
# Note: if encryption is enabled, this property must be filled every time on server restart, because it's cleaned on started
encPrivateKeyPassword=

 

encryptPasswords = should be set to true

 

passwordsEncrypted = this property should never be changed manually, unless you want to re-encrypt your passwords again from scratch. 

 

encPublicKeyPath = this is the full path to your private key file exported in the step 1.5 above. For example c:\\myfolder\\A987AC7B5A40A0C423B59005DC079CBC76EC2A69.asc on a windows server. Also, the OS-user that tomcat runs under should have full permissions to read this file

 

encPrivateKeyPath = this is the full path to the private key file exported in the step 1.5 above. Also, the OS-user that tomcat runs under should have full permissions to read this file

 

encPrivateKeyPassword = The password that has been chosen in step 1) . Please note, you need to type this in every time you start/restart the server. It is cleared after restart

 

 

2.3) Start tomcat as usual.

 

The first time system starts it will automatically find all passwords in the configuration files and encrypt them. 

 

Then the system will start in the encypted mode - all encrypted passwords will be decrypted run-time on demand.

 

If anything goes wrong and the system will not start, try to revert backed up files and start step 2. again. If it doesn't work anyway, contact support@visionflow.com and send the log file crypt.log.


User comments
 Loading ...