Help with Exporting Encrypted Password BaseType to Another Server

Question

Hi all,I’m working on a project where I have a DataShape that includes a field with the base type PASSWORD.In my implementation, I use the following logic to hash and encrypt the password: Add User Service (loginPassword basetype is PASSWORD in datashape) result = Things[userDataTable].CreateValues();

result.AddRow({
	loginName: loginName.toUpperCase(),
	firstName: firstName,
	lastName: lastName,
	language: language,
	emailAddress: emailAddress.toLowerCase(),
	hashedLoginName: me.SHA256({
		toHash: loginName.toUpperCase()
	}),
	groups: groups,
	loginPassword: Resources["EncryptionServices"].EncryptPropertyValue({
		data: me.SHA256({
			toHash: loginPassword
		})
	})
});
//me.UserDataBase
Things[userDataTable].AddDataTableEntry({	values: result });   User Login Service const serviceName = "userLogin";
const LOG_PREFIX = me.name + " :: " + serviceName + " :: ";

const userDataTable = "Project_" + Location + "_Users.DT";
logger.info(LOG_PREFIX + "Start Service");

let returnToken = {};
let hashedLoginName = me.SHA256({ toHash: loginName.toUpperCase() });

let hashedLoginPassword = true ? loginPassword : me.SHA256({ toHash: loginPassword });
returnToken.result = false;

let dateNow = Date.now();
let loginTokenExpireDate = dateNow +(me.tokenExpireTime*1000);
let hashedToken = me.SHA256({ toHash: dateNow + loginName.toUpperCase() });

try{
 let EntryExists = Things[userDataTable].GetDataTableEntryByKey({ key: hashedLoginName });
 
 logger.info("tip"+ EntryExists.rows[0]);

if(EntryExists && EntryExists.rows[0].hashedLoginName == hashedLoginName && EntryExists.rows[0].loginPassword == hashedLoginPassword){ //EntryExists.rows[0].loginPassword

returnToken.loginToken = hashedToken;
 returnToken.result = true;
 returnToken.loginTokenExpireDate = loginTokenExpireDate;
 returnToken.groups = EntryExists[0].groups.ToJSON().rows;
 returnToken.firstName = EntryExists[0].firstName;
 returnToken.lastName = EntryExists[0].lastName;
 returnToken.permission = EntryExists[0].permission;
 EntryExists[0].loginToken = hashedToken;
 EntryExists[0].loginTokenExpireDate = loginTokenExpireDate;
 Things[userDataTable].UpdateDataTableEntry({ values: EntryExists });
 
 }
 
}catch(e){}

//result = "this Token : '" + hashedToken + "' is created at this time: " + new Date(dateNow) + " and will expires at " + new Date(expireDateToken);
result = returnToken;

logger.info(LOG_PREFIX + "End Service");  SHA 256The following SHA-256 algorithm has been implemented in the Experience app.https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest   UserLogout const serviceName = "userLogout";
const LOG_PREFIX = me.name + " :: " + serviceName + " :: ";

const userDataTable = "Project_" + Location + "_Users.DT";
logger.info(LOG_PREFIX + "Start Service");

if(EntryExists && EntryExists.rows[0].loginToken == loginToken && new Date(Date.now()) < EntryExists.loginTokenExpireDate){

EntryExists.loginTokenExpireDate = '';
EntryExists.loginToken = '';
//me.UserDataBase
Things[userDataTable].UpdateDataTableEntry({
values: EntryExists /* INFOTABLE */
});

returnToken.result = true;
returnToken.loginTokenExpireDate = "Token got deleted!";
}

}catch(e){}
result = returnToken;

logger.info(LOG_PREFIX + "End Service");  ❗ ProblemNow, I’m trying to migrate this data to another ThingWorx server, using an import/export mechanism (e.g., DataTable export).However, on the new server, the encrypted password doesn’t seem to work or decrypt properly. Even when I change the base type to STRING instead of PASSWORD, it still doesn't work.I suspect the issue might be:Something related to how encrypted properties (especially PASSWORD fields) are tied to a specific platform instance or keystore?Or maybe EncryptPropertyValue() doesn’t produce a transferable string between servers?🧩 What I’ve TriedChanging the base type from PASSWORD to STRING before exporting.Referenced this doc for password handling (but it’s still unclear what is transferable and what’s not): 👉 https://support.ptc.com/help/thingworx/platform/r9.6/en/index.html#page/ThingWorx/Help/Composer/Security/password_basetype.html#wwID0EYCK1💡 My QuestionsIs it possible to export a PASSWORD-typed value from one server to another in a usable form?What is the best way to securely transfer hashed or encrypted credentials between servers without breaking the structure?Any insights or official guidance would be much appreciated 🙏Thanks in advance!

Rocko · Accepted Answer

As you assume, this is tied to the keystore. This is why there is a "universal export" option. But it's documented it is not working on data, only on entities.

https://support.ptc.com/help/thingworx/platform/r9.6/en/index.html#page/ThingWorx/Help/Getting_Started/ImportingandExportinginThingWorx/ImportingandExportingDataEntitiesandExtensions.html

This is also the reason why you have to call EncryptPropertyValue manually, because it's not a simple thing property but a row in a data table.

I would suggest encrypting with a specific key that you use on both platforms. There is a EncryptWithCustomKey service for that. But I haven't verified if that works.

❗ Problem

🧩 What I’ve Tried

💡 My Questions

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded