How to set wlp.password.encryption.key value in Liberty Profile - encryption

We are trying to encrypt sensitive information stored in server.xml of Liberty Profile. To do that we are using securityUtility tool with "aes" encoding type. Understand from the IBM infocenter that a custom key value can be set with the property wlp.password.encryption.key for the encryption. If this value is not set the tool will use default value.
We want to set up a custom value for the wlp.password.encryption.key property, so that it can be used during the encryption.
However I could not find any details how can we set this property. What are the syntax to be used?

Here are some information how to use encryption key - Liberty profile: The limits to protection through password encryption
The encryption key used for decrypting can be overridden from the default by setting the wlp.password.encryption.key property. This
property should not be set in the server.xml file that stores the
password, but in a separate configuration file that is included by the
server.xml file. This separate configuration file should contain only
a single property declaration, and should be stored outside the normal
configuration directory for the server. This ensures that the file
containing the key is not included when you are running the server
dump or package command.
The encryption key property can also be specified as a bootstrap property.
How to define property (in server.xml or in separate file):
<server>
...
<variable name="wlp.password.encryption.key" value="yourKey" />
</server>
How to include separate file in server.xml:
<server>
...
<include location="${shared.config.dir}/key.xml" />
</server>
bootstrap.properties is optional file, it does not exist by default. You must create it in the same directory where server.xml is stored, by default usr/servers/server_name.
Define entry in there like this:
wlp.password.encryption.key = yourKey

Related

Wildfly: Encrypt password and username for database

I would like to hand over a webapplication to some people but these people should not allowed to has access to the database with some tools. Using the webapplicaton and in the background the database is ok.
Wildfly has a config with these code:
<xa-datasource jndi-name="java:jboss/datasources/ExampleXADS" pool-name="ExampleXADS">
<driver>h2</driver>
<xa-datasource-property name="URL">jdbc:h2:mem:test</xa-datasource-property>
<xa-pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>true</prefill>
</xa-pool>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</xa-datasource>
As you can see, there is also the username and password available. How is it possible to exclude / encrypt these, so only the administrator know the password for the database.
The same also for the whole application server - there are also users and password.
How can I do this?
EDIT:
The "customer" will get the whole application inclusive the webserver configuration. (Wilfly and .war - file)
It´s only for saving the software key in the database.
The first time if the "customer" start the web application, he will be prompted so enter the licence key.
After entering the license key a Webservice will be called. The return code is "false" or "true" (is key valid or is key not valid)
My first idea was to store the flag in the database. But if a user has access to the database, he can manipulate this flag on his own.
Is there any other possibility to set a flag for "the software key is valid" instead saving the flag in the database.
Any ideas?
You can use security domain to get over this, there could be some specific changes for Wildfly but for JBoss 7.1.1 here is what you need to do.
Find the location of jboss-logging-3.1.0.GA.jar in your JBoss/Widlfy server. In case of JBoss 7.1.1 it should be something like - modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar
Find the location of picketbox-4.0.7.Final.jar
Check if the picketbox jar has org.picketbox.datasource.security.SecureIdentityLoginModule class.
Run the following command from JBoss server root folder to encrypt your datasource connection password
java -cp modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar;modules\org\picketbox\main\picketbox-4.0.7.Final.jar org.picketbox.datasource.security.SecureIdentityLoginModule PasswordXYZ
Get the output text and in the standalone.xml add following security domain under elements:
<security-domain name="encrypted-ds-WASM2" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="WASM2"/>
<module-option name="password" value="89471a19022f8af"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MySqlDS_Pool"/>
</login-module>
</authentication>
</security-domain>
Use this security domain in the datasource element as follows:
<datasource jta="false" jndi-name="java:jboss/jdbc/JNDIDS" pool-name="OFS1" enabled="true" use-ccm="false">
<connection-url>jdbc:oracle:thin:#x.x.x.x:1521:xxxx</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<driver>oracle</driver>
<security>
<security-domain>encrypted-ds-WASM2</security-domain>
</security>
<validation>
<validate-on-match>false</validate-on-match>
<background-validation>false</background-validation>
<background-validation-millis>1</background-validation-millis>
</validation>
<statement>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<share-prepared-statements>false</share-prepared-statements>
</statement>
</datasource>
Reference Link: http://middlewaremagic.com/jboss/?p=1026
It is not possible. If the web application has to be able to decrypt the password to use the database, anyone on the server can do the same.
If you want to restrict access, keep the server under your control and let them access it only through a web front end.
(And even if it was possible to usefully encrypt, if they have server access they can trivially copy the database files onto their workstations, or add new user accounts to the database server).

how to export auto generated machine key

I have been using owin oauth bearer tokens for web.api authentication. I had only a single server. I never needed to custom generate a machine key. Right now, I need to move to a web farm behind a load balancer. I dont want my current users' bearer tokens to become invalid when I move to the farm. How do I export an auto generated machine key, and import to to another server?
The configuration file deployed on each server must have the same machine key. Some reference here.
Basically you have to copy this section to the other servers' config file:
<machineKey validationKey="A970D0E3C36AA17C43C5DB225C778B3392BAED4D7089C6AAF76E3D4243E64FD797BD17611868E85D2E4E1C8B6F1FB684B0C8DBA0C39E20284B7FCA73E0927B20" decryptionKey="88274072DD5AC1FB6CED8281B34CDC6E79DD7223243A527D46C09CF6CA58DB68" validation="SHA1" decryption="AES" />
It's always best to use a script to generate your own machine keys.

<machinekey> in web.config and machine.config

If the machine.config file does not define any section, nor does any web.config file, does it default to AutoGenerate option?
Thanks
Vikas
Yes, the AutoGenerate setting is the default setting for both decryptionKey and validationKey.
"AutoGenerate, IsolateApps" - Specifies that the key is automatically generated. This is the default value. The AutoGenerate modifier specifies that ASP.NET generates a random key and stores it in the Local Security Authority (LSA). The IsolateApps modifier specifies that ASP.NET generates a unique encrypted key for each application using the application ID of each application.
Source: http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx

Encrypting custom configuration settings

I'm having some troubles encrypting a configuration section. We use a package from an external supplier and the web.config is structured in the following way:
web.config
<appSettings file="customSettings.config">
<add key="generic_setting" value="true"/>
<add key="another_generic_setting" value="false"/>
</appSettings>
customSettings.config
<appSettings>
<add key="company_db_username" value="sa"/>
<add key="company_db_password" value="secret"/>
</appSettings>
We use WiX to create an installation package (msi) so we can deploy this in our organization. One custom action we execute is the encryption of the appSettings section. In the situation depicted above it unfortunately only encrypts the section in the web.config file and leaves the customSettings.config untouched.
I did notice that the configSource attribute works a bit better with encryption than the file attribute, but it doesn't support merging elements from both files. Now I could programmatically merge the elements of the customSettings.config into web.config before I encrypt everything in the custom action, but I was wondering if there is a cleaner solution to this.
Based on your example, where the information you're encrypting is a DB username and password, one alternative is to use Windows Authentication to connect to your DB the first time. The initial user would have very restricted rights.
Use that connection to obtain the credentials / connection string for a higher-privilege account, which you have previously stored using item-level DB encryption (see OPEN SYMMETRIC KEY and ENCRYPTBYKEY).

Encrypted & unencrypted connection strings in web.config?

Is it possible to have both encypted and unencrypted connection strings in the same web.config?
I don't believe that you can encrypt an individual connection string as part of the ConnectionStrings section. This is because ConfigurationElement objects (ConnectionStringSetting derives from) has an ElementInformation Property which does not have a Protect method. A ConfigurationSection has a SectionInformation Property which does have a Protect method, ConnectionStringsSection inherits from ConfigurationSection.
So, with that said, you can encrypt a ConnectionStringsSection, but not a ConnectionStringSetting.
However, all is not lost. You do have the ability to create your sections/elements to maintain your non-encrypted (or encrytped depending on which way you want to go) connection strings. You just won't be able access them using the WebConfigurationManager's ConnectionStrings Property.

Resources