Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

To avoid showing for example passwords or PINs as plain readable text, such sensitive data in PRIME configuration files can be scrambled. 

Scrambling means that the data is merely obfuscated, since true encryption would require someone typing a password on every system startup. The data is encrypted with AES-256, with a key stored in a java class.

Scrambling can be used in for example database.propertiessystem.properties and engineSignEncryptConfig.xml


Prerequisites

 Prerequisites

The following prerequisites apply:

  • All properties files must use UTF-8 character encoding
  • Attention must be paid, as we also use properties files as constructor arguments in some classes, mostly PKI connectors. Until now, these may not be scrambled.
  • Be careful not to use the .encrypted syntax in properties files that are not passed to the ScramblingPropertyConfigurers, as these will not be scrambled and the setting of the values will fail, since .encrypted will be interpreted as a part of the key.
  • Properties files inside .jar files will not be scrambled and using the .encrypted syntax will lead to errors, since spring will try to set a property named encrypted. You can however set already encrypted properties inside a .jar file.
  • Trying to scramble a property that spans over several lines will result in an error.

Step-by-step instruction

 Add encryption to parameter in file
To scramble sensitive information in a .properties file or in engineSignEncryptConfig.xml:
  1. Open the file for editing.

  2. Append .encrypted to any sensitive keys in the file, for example password or pin. When the system starts, the values will be encrypted with a key stored in PRIME. See the examples below.

    1. Example with database.properties:

      Example: encrypt keys in database.properties
      # A placeholder:
maxActive=200
# A property override:
dataSource.jdbcUrl=jdbc:h2:mem:prime;DB_CLOSE_DELAY=-1;LOCK_TIMEOUT=60000
dataSource.user.encrypted=sa
dataSource.password.encrypted=s3cr3t!

      Example result:

      Example result: scrambled keys in database.properties
      # A placeholder:
maxActive=200
# A property override:
dataSource.jdbcUrl=jdbc:h2:mem:prime;DB_CLOSE_DELAY=-1;LOCK_TIMEOUT=60000
dataSource.user=encrypted:3I5rVis6scgAzEGg0MtqLw==
dataSource.password=encrypted:K41LmsAmxiIMcTq3k8sAS8l=

    2. Example with engineSignEncryptConfig.xml:

      Example: encrypt keys in engineSignEncryptConfig.xml
       </key>
     <key name="encCert">
         <type name="pkcs12" locationValue="classpath:hybridEncKeypair2.p12" pin.encrypted="1234567"/>
 </key>

      Example result:

      Example result: scrambled keys in engineSignEncryptConfig.xml
       </key>
     <key name="encCert">
         <type name="pkcs12" locationValue="classpath:hybridEncKeypair2.p12" pin=encrypted:JMyVZtk9WIWQQEfpC4CEVg== />
 </key>

Only properties files outside of a .jar file will be replaced. 

Related information

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions