getting exception after encrypting password of conf/axis2/axsi2.xml - wso2-api-manager

getting exception after encrypting password of conf/axis2/axsi2.xml , i have used ciphertool.sh to encrypt the password.
i was able to encrypt the other files of /repository/conf dir .
Did anyone faced same issue.
Thanks you.

we have seen problem to Encrypt axis2.xml .But after using below aliases and x-path we were able to encrypt passwords for axis2.xml:
Axis2.Https.Listener.TrustStore.Password=repository/conf/axis2/axis2.xml//axisconfig/transportReceiver[#name='https']/parameter[#name='truststore']/TrustStore/Password,false
Axis2.Https.Listener.KeyStore.Password=repository/conf/axis2/axis2.xml//axisconfig/transportReceiver[#name='https']/parameter[#name='keystore']/KeyStore/Password,false
Axis2.Https.Listener.KeyStore.KeyPassword=repository/conf/axis2/axis2.xml//axisconfig/transportReceiver[#name='https']/parameter[#name='keystore']/KeyStore/KeyPassword,false
Axis2.Https.Sender.TrustStore.Password=repository/conf/axis2/axis2.xml//axisconfig/transportSender[#name='https']/parameter[#name='truststore']/TrustStore/Password,false
Axis2.Https.Sender.KeyStore.Password=repository/conf/axis2/axis2.xml//axisconfig/transportSender[#name='https']/parameter[#name='keystore']/KeyStore/Password,false
Axis2.Https.Sender.KeyStore.KeyPassword=repository/conf/axis2/axis2.xml//axisconfig/transportSender[#name='https']/parameter[#name='keystore']/KeyStore/KeyPassword,false

Related

Encrypting the Web Console password in ActiveMQ

I have to get rid of the clear text password in ActiveMQ server in the jetty-realm.properties file as part of the security requirements of our project.
I followed the procedure for encrypting passwords found here: https://activemq.apache.org/encrypted-passwords.html.
In Jetty-real.properties I replaced plain password with ${activemq.password}
But I could not login into the web console (http://localhost:8161/admin)
Are there additional config parameters I need to change? Any help would be greatly appreciated.
For ecrypt password we can use jetty utility. This can be downloaded from http://download.eclipse.org/jetty/.
use:
java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password admin admin
admin
OBF:1u2a1toa1w8v1tok1u30
MD5:21232f297a57a5a743894a0e4a801fc3
CRYPT:adpexzg3FUZAk
Add in bus\conf\jetty.xml\jetty-realm.properties
admin: MD5:21232f297a57a5a743894a0e4a801fc3, admin
A very important note: the sequence of data specified by you should be as follows:
org.eclipse.jetty.util.security.Password [username] password
Also note that in some shells (like default on Ubuntu 20.04) the dollar sign inside the password will effectively truncate your password to the part preceding the dollar sign.
(I meant to put a comment to the answer by #dorin.canepa, but clicked on a wrong button and now it's an answer, oh well)

sitecore extranet create user

I'm trying to create an extranet user within sitecore but i'm having issues. I'm using the command Membership.CreateUser(username, password, email)
Nothing seems to happen though. No user is created in the extranet aspnetdb. No exceptions are thrown.
I also tried putting the domain as part of the user name: domain\username...and I get the error "You must specify a non-autogenerated machine key to store passwords in encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key.". My passwordFormat is Encrypted.
Any ideas what i'm doing wrong?
Thanks in advance.
Did you try what the error message suggested? I would try setting your own Machine Key. More about that here. As always, do this in a test/dev environment.
You can use below code -
uname = string.Format(#"{0}{1}", domain, userName);
Membership.CreateUser(uname, password, email);

SFTP doesn't work with encoded password

We use SFTP in our project to transfer files over an SSH connection. This is done through java code. Assuming that if for characters like ?, ! etc we need to give the encoded value in the sftp command, we encoded the password in the code and generated the command. But SFTP isn't working with these encoded password now, it accepts the password directly. What could be the issue. Please help.
Example username: xyz password: abc!
We use URLEncoder to encode the username and password.
String username= URLEncoder.encode(username, "UTF-8");
String password = URLEncoder.encode(password, "UTF-8");
After encoding Our code would generate SFTP command as : sftp://xyz:abc%21#10.9.10.9/home/documents/xyz.txt
But this isn't working, Authentication fails with wrong password. Where as manually if we give command sftp://xyz:abc!#10.9.10.9/home/documents/xyz.txt it works.
Please let us know if we are going wrong.
Thanks in advance.
That's not actually an issue. SFTP is a subsystem of SSH, and SSH creates a secure channel upon client connection (similarly to what SSL does but at layer 7): once the secure and encrypted connection is established, your username and password will be sent to the SSH server inside such connection, therefore there is no need to encode them nor to encrypt them.
The SSH server expects to receive your username/password as they are, not pre-processed nor encoded. And you can do that safely with SFTP for the reason explained here above. So no reason to be worried.

What sort of encryption is this?

I'm working on a login system for a website that currently uses Apache's prompt box for login, and stores usernames/passwords in a file on the server (as opposed to a table in the database). I'm running into a problem here because the passwords are encrypted in a way I've never seen before. I was wondering if someone can recognize the encryption used here. Examples:
"budapest" translates to "$apr1$6awtpn87$1PzMKL1M4H6urlEil/z5m/" and "Mario" translates to "$apr1$zhadw0iq$r8plh8o.Jj.V34oJ1tjWV1"
All encrypted passwords have "$apr1" at the beginning, then 8 characters, then "$" and then 22 more characters. This gives 32 characters excluding the "$apr1" so I thought it might be some variation on md5 but I haven't worked with encryption much so I was hoping someone could give me a hand?
This is the content of the .htaccess file:
AuthType Basic
AuthName "Site name here"
AuthUserFile "path to password file here"
require valid-user
It's an APR1-MD5 Hash. The documentation can be found at:
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
If it stores the username/pass in a file, its probably some form of Basic Authentication.
http://httpd.apache.org/docs/2.1/howto/auth.html
http://httpd.apache.org/docs/1.3/howto/htaccess.html
This is a password hash which is build the following way:
$algorythm$salt$hash
So this is the apache style apr1-md5 algorythm, then the 8byte random salt and then the actual hash of your password - using the salt.
See http://httpd.apache.org/docs/2.1/misc/password_encryptions.html for more information on the supported password hash/encryption methods in HTTP Basic Auth using apache httpd.

How to change WebDAV password locally

I can't figure out how to change the webdav password. I've done some searching, found many resources of how to add a new user to webdav, but nothing about changing password. Anyone know?
Passwords are stored in webdav.htpasswd file.
If you open it, you will see an entry like this
wampp:XAMPP with WebDAV:bc7f2b670e7e965e307feb30492e642e
That's the entry for user wampp: in realm XAMPP with WebDAV: with password which is encrypted.
To change password, you should use htdigest.exe.
See manual. It is used to create and update user authentication files. You should find in the bin directory of xampp installation.
To do that, do :
htdigest.exe "pathto/webdav.htpasswd" "XAMPP with WebDAV" yourusername
This will be returned:
Adding user yourusername in realm "XAMPP with WebDAV"
You will then be asked for the password for yourusername
New password: yourpassword
Re-type new password: yourpassword
Reference: http://www.apachefriends.org/f/viewtopic.php?f=16&t=38897
Replace the content of the file C:\Program Files\xampp\security\htpasswd.webdav with your username, a colon and the password. Note: Everyone who can see this file can see the password!
Assuming you're talking about doing a password change at the server from a client, I don't believe WebDAV supports such a transaction.
You'd use something like a shell logon or a Web-based admin page to do this.
This always struck me as odd for a lot of network services, for example FTP or email. It seems to be common though.

Resources