I need to encrypt the passwords stored in the prop...

minerae · ‎Sep 02, 2009

I can not have clear text passwords in any property file(i.e., wt.properties and db.properties). Are there any suggestion on a method or scheme to encrypt/decrypt these passwords. I'm assuming that these passwords get cached during startup so once the server starts the password in the property file can be encrypted until you need to start the server again.

avillanueva · ‎Sep 02, 2009

Its been a bit but I used this in one application where I had a password
written to a property file.

String password = props.getString("ftppassword");

try {

PropModifier modifier = new
PropModifier(PropModifier.DESEDE_ENCRYPTION_SCHEME,key);

password=modifier.decrypt(password);

}

catch (PropModException e)

{

logger.debug("Error decrypting password");

}

This is the source for the PropModifyer

wneuman · ‎Sep 02, 2009

Andrew -

I'm not sure I would advise any solution where you leave the files
encrypted and temporariliy decrypt when services need to start or
restart. Part of the reason I say this is that it could get complicated
based on the fact that if, e.g., a method server dies the server manager
will automatically start a new one. Thus you may not know exactly when
the file needs to be decrypted.

There are numerous other secure deployments in existence that have been
able to pass security audits despite the cleartext passwords. I believe
the typical solution is to make sure that you lock down the UNIX or NT
permissions on these files appropriately. Some also use drive
encryption technology like windows bitlocker to ensure that when the
property files are at rest, they are encrypted. Perhaps some other
admins with similar security requirements will respond with additional
approaches that they use. You might also consider a tech support call
to see if there are any other documented or recommended practices in
this area.

In Windchill 10, we have plans to encrypt passwords in property files,
minimizing the need for special handling.

Best Regards,

Bill Neuman

Director, Windchill Infrastructure and Integrations

mkraegeloh · ‎Sep 02, 2009

hi,

somehow the server needs to get to some passwords.
if you encrypt but the MS can decrypt then a user can do the same
(knowing the algorithms ...)

so if you have untrusted/unauthorized users on your server you have
already lost!

wt.properties MUST NOT have any passwords in it - parts of windchill
rely on anonymous access to the file via http request.
db.properties however lives in a directory not accessible from apache,
so you only need to protect it from unauthorized access (any user who
can fiddle with it could also render your windchill installation useless
otherwise)
plus running ethereal would see the passwords at some time unless you
use encrypted connections etc. etc.

cheers, martin

Andrew Miner wrote:
> I can not have clear text passwords in any property file(i.e.,
> wt.properties and db.properties). Are there any suggestion on a method
> or scheme to encrypt/decrypt these passwords. I'm assuming that these
> passwords get cached during startup so once the server starts the
> password in the property file can be encrypted until you need to start
> the server again.
>

I need to encrypt the passwords stored in the properties files.

I need to encrypt the passwords stored in the properties files.