How to Encrypt Passwords in Ephesoft files

Brief Description:

This tutorial deals with the steps on how to encrypt the plain text passwords in the Ephesoft files to increase security of the application.

 

Note:

  1. We manually have to replace the plain text passwords in the Ephesoft configuration files with the Encrypted password that gets generated with the Password Encryption Utility.
  2. The passwords can be encrypted in server.xml file(database passwords & LDAP / AD connection password), dcma-ftp properties file, user-connectivity file, etl-properties file under dcma-reporting, as well as the applicationContext-security.xml file (if using SAML SSO).
  3. Username’s can also be encrypted in a similar way.
  4. The encryption mechanism is similar for almost all the version, this tutorial largely focuses on the ephesoft versions above 4060 for both Windows & Linux Environment.

 

Components

Security, Encryption & Decryption

 

Steps to Encrypt the passwords:

  1. Run the Encryptor.sh / Encryptor.bat (Ephesoft\Application\native\encryption)  where it will ask for plain text password and will convert it into encrypted text. Just make a note of all the encrypted passwords in a text file that needs to be replaced with the plain text in the configuration files.
  2. The location where you will need to change the plain text password is server.xml, user-connectivity(dcma-user-connectivity), etl-properties(dcma-reporting), ftp.properties(dcma-ftp) file.
  3. Open the dcma-encryption.properties file (Ephesoft\Application\WEB-INF\classes\META-INF\dcma-encryption) and set the value for password.use_encryption & password.encrypt to true.
  4. If using LDAP & AD password Encryption in server.xml 
    a. Add a comment to <Realm className=”org.apache.catalina.realm.UserDatabaseRealm” resourceName=”UserDatabase”/>
    b. In the realm settings change the value in the Realm Class name from org.apache.catalina.realm.JNDIRealm  to  <Realm className=”com.ephesoft.realm.EphesoftRealm“/>
    c. Use the encrypted password generated for connectionPassword property when you configure AD in server.xml file.
  5. If using Database Password encryption in server.xml
     a. Change the factory attribute in the Resource tag to “com.zaxxer.hikari.encryption.EncryptedHikariJNDIFactory” and provide the encrypted password in the datasource.password attribute that was generated.
    Note: To ensure successful DB connection, all Oracle DB passwords in server.xml have to be enclosed in quotes (e.g. dataSource.password=”&quot;Passw0rd&quot;”). When using Encryptor, make sure to provide only the password, without the double quotes (e.g. Passw0rd).
  6. Along with these changes, make sure to change the password parameter in dcma-ftp since by default we use *(asterik) in password property which may cause an error and if not using ftp also you can use any encrypted password over here.
  7. Make a final username and password change in etl-variables.properties file (Ephesoft\Application\WEB-INF\classes\META-INF\dcma-reporting). Note that here it is important to encrypt both ephesoft.loginusername and ephesoft.loginpassword.
  8. Once all these plain text passwords are replaced you can go ahead and restart the service.

 

Steps to enable LDAP/AD password Encryption

There are two files in which changes need to be done for the password encryption

  • server.xml and
  • dcma-encyption.properties available

The files are present at following location

  • Ephesoft\JavaAppServer\conf\server.xml
  • Ephesoft\Application\WEB-INF\classes\META-INF\dcma-user-connectivity\user-connectivity.properties

 

To enable password encryption for LDAP and AD following changes are needed.

  1. Change the className attribute in the <Realm … > tag in the server.xml
    By default the className attribute in the server.xml has the following value:
    <Realm className=”org.apache.catalina.realm.JNDIRealm“/>
    Change the value to the following:
    <Realm className=”com.ephesoft.realm.EphesoftRealm“/>
  2. Use an encrypted password for the connectionPassword attribute in the <Realm … > tag in the server.xml
    <Realm className=”com.ephesoft.realm.EphesoftRealm” connectionPassword = “mzoanUU1UD0rc1PvexuAKw==”/>
  3. Turn on the password.use_encryption property present in the dcma-encyption.properties available at :
    Ephesoft\Application\WEB-INF\classes\META-INF\dcma-encryption.password.use_encryption=true
  4. Use an encrypted password for the user.connectivity_password property in the dcma-userconnectivity.properties. user.connectivity_password=”mzoanUU1UD0rc1PvexuAKw==”
  5. Comment out this line using <!– before and –> after this line in the server.xml: <Realm className=”org.apache.catalina.realm.UserDatabaseRealm” resourceName=”UserDatabase”/> but be sure not to comment out the </Realm> on the next line as that closes a previous realm and not this one.

Password Encryption:

To encrypt the passwords the Encryptor.bat needs to be used available at the following location:

  • {Ephesoft-Installation-Directory}\Application\native\encryption\Encryptor.bat

On running the above .bat file, and it will ask for the password string that need to be encrypted.

C:\Users\jatinderjindal\Desktop\Password_Enc_1.PNG

The password string needs to be entered here and on pressing “Enter” the encrypted password is returned.

C:\Users\jatinderjindal\Desktop\Password_Enc_2.PNG

NOTE: The encryption algorithm and cipher strength being used by encryptor.bat from Ephesoft is PBEWithMD5AndDES (56 bits).