Child pages
  • Externalize and encrypt grouper passwords

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. config files should be able to be emailed around without having to cleanse them
  2. config files (and warfiles) should not contain passwords so they can be stored in version control etc
  3. only people who have permissions on the production box will need to know the password, not developers who send them the war to deploy
  4. If someone finds a config file, they cannot see the password, and there is no documented way to unencrypt it



Setup externalized encrypted passwords POST 2.4.0 API patch #76

  1. In morphString.properties, set the encrypt.key entry to a random alphanumeric string, or a pathname of a file containing the alphanumeric string, or a scriptlet (encrypt.key.elConfig instead)
  2. In subject.properties, and grouper.hibernate.properties, encrypt the passwords with:

    Windows: (from grouper API dir)

    Code Block
    C:\mchyzer\isc\dev\grouper-qs-1.2.0\grouper>java -cp conf;build;lib/* edu.internet2.middleware.morphString.Encrypt
    Enter the location of morphString.properties: conf/morphString.properties
    Type the string to encrypt (note: pasting might echo it back):
    The encrypted string is: ede9aa3fe38e68d811107f886a941cc6


    Unix:

    Code Block
    /opt/grouper-qs-1.2.0/grouper>java -cp conf:build:lib/* edu.internet2.middleware.morphString.Encrypt
    Enter the location of morphString.properties: conf/morphString.properties
    Type the string to encrypt (note: pasting might echo it back):
    The encrypted string is: ede9aa3fe38e68d811107f886a941cc6



  3. Put results in a file, and put the file path where the passwords were in sources.xml or grouper.hibernate.properties (absolute file path must contain a slash)

    Windows:

    Code Block
    hibernate.connection.password = c:/pass/myGrouper/mySource.pass



    Unix:

    Code Block
    hibernate.connection.password = /opt/pass/myGrouper/mySource.pass


    Info

    Note: an absolute path is required. The configuration will use the "/" directory delimiter to distinguish between an external file reference and a literal password string.


Setup externalized encrypted passwords PRE 2.4.0 API patch #76

  1. In morphString.properties, set the encrypt.key entry to a random alphanumeric string, or a pathname of a file containing the alphanumeric string
  2. In sources.xml, and grouper.hibernate.properties, encrypt the passwords with:

    Windows:

    Code Block
    C:\mchyzer\isc\dev\grouper-qs-1.2.0\grouper>java -jar lib\morphString.jar
    Enter the location of morphString.properties: conf/morphString.properties
    Type the string to encrypt (note: pasting might echo it back):
    The encrypted string is: ede9aa3fe38e68d811107f886a941cc6


    Unix:

    Code Block
    /opt/grouper-qs-1.2.0/grouper>java -jar lib/morphString.jar
    Enter the location of morphString.properties: conf/morphString.properties
    Type the string to encrypt (note: pasting might echo it back):
    The encrypted string is: ede9aa3fe38e68d811107f886a941cc6



  3. Put results in a file, and put the file path where the passwords were in sources.xml or grouper.hibernate.properties (absolute file path must contain a slash)

    Windows:

    Code Block
    hibernate.connection.password = c:/pass/myGrouper/mySource.pass



    Unix:

    Code Block
    hibernate.connection.password = /opt/pass/myGrouper/mySource.pass


    Info

    Note: an absolute path is required. The configuration will use the "/" directory delimiter to distinguish between an external file reference and a literal password string.


...