cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X

I need to encrypt the passwords stored in the properties files.

minerae
1-Visitor

I need to encrypt the passwords stored in the properties files.

I can not have clear text passwords in any property file(i.e., wt.properties and db.properties). Are there any suggestion on a method or scheme to encrypt/decrypt these passwords. I'm assuming that these passwords get cached during startup so once the server starts the password in the property file can be encrypted until you need to start the server again.
3 REPLIES 3
avillanueva
22-Sapphire II
(To:minerae)

Its been a bit but I used this in one application where I had a password
written to a property file.



String password = props.getString("ftppassword");

try {

PropModifier modifier = new
PropModifier(PropModifier.DESEDE_ENCRYPTION_SCHEME,key);

password=modifier.decrypt(password);

}

catch (PropModException e)

{

logger.debug("Error decrypting password");

}



This is the source for the PropModifyer

wneuman
1-Visitor
(To:minerae)

Andrew -



I'm not sure I would advise any solution where you leave the files
encrypted and temporariliy decrypt when services need to start or
restart. Part of the reason I say this is that it could get complicated
based on the fact that if, e.g., a method server dies the server manager
will automatically start a new one. Thus you may not know exactly when
the file needs to be decrypted.



There are numerous other secure deployments in existence that have been
able to pass security audits despite the cleartext passwords. I believe
the typical solution is to make sure that you lock down the UNIX or NT
permissions on these files appropriately. Some also use drive
encryption technology like windows bitlocker to ensure that when the
property files are at rest, they are encrypted. Perhaps some other
admins with similar security requirements will respond with additional
approaches that they use. You might also consider a tech support call
to see if there are any other documented or recommended practices in
this area.



In Windchill 10, we have plans to encrypt passwords in property files,
minimizing the need for special handling.





Best Regards,

Bill Neuman

Director, Windchill Infrastructure and Integrations


hi,

somehow the server needs to get to some passwords.
if you encrypt but the MS can decrypt then a user can do the same
(knowing the algorithms ...)

so if you have untrusted/unauthorized users on your server you have
already lost!

wt.properties MUST NOT have any passwords in it - parts of windchill
rely on anonymous access to the file via http request.
db.properties however lives in a directory not accessible from apache,
so you only need to protect it from unauthorized access (any user who
can fiddle with it could also render your windchill installation useless
otherwise)
plus running ethereal would see the passwords at some time unless you
use encrypted connections etc. etc.

cheers, martin

Andrew Miner wrote:
> I can not have clear text passwords in any property file(i.e.,
> wt.properties and db.properties). Are there any suggestion on a method
> or scheme to encrypt/decrypt these passwords. I'm assuming that these
> passwords get cached during startup so once the server starts the
> password in the property file can be encrypted until you need to start
> the server again.
>
Announcements


Top Tags