To avoid showing for example passwords or PINs as plain readable text, such sensitive data in Identity Manager configuration files can be scrambled.
Scrambling means that the data is merely obfuscated, since true encryption would require someone typing a password on every system startup. The data is encrypted with AES-256, with a key stored in a java class.
Scrambling can be used for example in database.properties, system.properties and engineSignEncryptConfig.xml.
Prerequisites
The following prerequisites apply:
- All properties files must use UTF-8 character encoding
- Attention must be paid, as we also use properties files as constructor arguments in some classes, mostly PKI connectors. Until now, these may not be scrambled.
- Be careful not to use the
.encrypted
syntax in properties files that are not passed to the ScramblingPropertyConfigurers
, as these will not be scrambled and the setting of the values will fail, since .encrypted
will be interpreted as a part of the key. - Properties files inside
.jar
files will not be scrambled and using the .encrypted
syntax will lead to errors, since spring will try to set a property named encrypted
. You can however set already encrypted properties inside a .jar
file. - Trying to scramble a property that spans over several lines will result in an error.
Step-by-step instruction
Add encryption to parameter in file
To scramble sensitive information in a
.properties file or in
engineSignEncryptConfig.xml:
- Open the file for editing.
Append .encrypted
to any sensitive keys in the file, for example password
or pin
. When the system starts, the values will be encrypted with a key stored in Identity Manager. See the examples below.
Examples
Example: Encrypt database username and password
Example: Encrypt the database username and password in database.properties:
# A placeholder:
maxActive=200
# A property override:
dataSource.jdbcUrl=jdbc:h2:mem:prime;DB_CLOSE_DELAY=-1;LOCK_TIMEOUT=60000
dataSource.user.encrypted=sa
dataSource.password.encrypted=s3cr3t!
Example result:
# A placeholder:
maxActive=200
# A property override:
dataSource.jdbcUrl=jdbc:h2:mem:prime;DB_CLOSE_DELAY=-1;LOCK_TIMEOUT=60000
dataSource.user=encrypted:3I5rVis6scgAzEGg0MtqLw==
dataSource.password=encrypted:K41LmsAmxiIMcTq3k8sAS8l=
Example: Encrypt certificate PIN
Example: Encrypt the certificate PIN in engineSignEncryptConfig.xml:
</key>
<key name="encCert">
<type name="pkcs12" locationValue="classpath:hybridEncKeypair2.p12" pin.encrypted="1234567"/>
</key>
Example result:
</key>
<key name="encCert">
<type name="pkcs12" locationValue="classpath:hybridEncKeypair2.p12" pin=encrypted:JMyVZtk9WIWQQEfpC4CEVg== />
</key>
Example: Encrypt truststore password
Example: If you use the truststore in system.properties, encrypt the truststore password:
# CERTIFICATE VALIDATION:
# -----------------------
# Path to the truststore to use for certificate path validation
jksKeyStoreProvider.keyStorePath=file:apache-tomcat-8.5.24/conf/prime.truststore
# The password for the truststore
jksKeyStoreProvider.keyStorePassword.encrypted=prime
Example result:
# CERTIFICATE VALIDATION:
# -----------------------
# Path to the truststore to use for certificate path validation
jksKeyStoreProvider.keyStorePath=file:apache-tomcat-8.5.24/conf/prime.truststore
# The password for the truststore
jksKeyStoreProvider.keyStorePassword=encrypted:CYyVZis7WITDOIfpC1CNDx==