./encrypt.sh input=mypassword password=mykey algorithm=PBEWithMD5AndDES
Encrypting LDAP and Database Passwords in MMC 3.4.2
Enterprise Edition
Version 3.4.2 of the Management Console allows you to encrypt, out of the box, the following passwords used by MMC:
Database for environment data
Database for tracking data (Business Events)
LDAP password for MMC access to LDAP server
Previous versions of MMC required you to download an external library in order to encrypt the passwords, and to alter MMC configuration files in order to modify Java beans. In MMC 3.4.2, all you need to do is encrypt the password by running the provided script, and include the encrypted result in the relevant configuration file.
This document assumes that you are familiar with the basic Architecture of the Mule Management Console. It also assumes that you have installed MMC version 3.4.2. (Download it from the customer portal if you need to upgrade to this version.)
MMC stores passwords in configuration files, in plain text by default. In this scenario, an attacker with access to the filesystem where MMC resides could easily read the stored passwords. Encrypting the passwords allows you to avoid this security risk.
MMC uses the Jasypt encryption library for password encryption. You encrypt your password by running a script included in the MMC installation, as explained below.
Encrypting the Password
To encrypt the password, run the appropriate script in your system’s terminal:
The script accepts several parameters, in the form <parameter>=<value>
Script parameter | Description |
The value to encrypt. This is the actual LDAP or database password you wish to encrypt. |
The string used for encrypting |
(Optional.) The algorithm to use for encryption. |
MMC uses -DMMC_ENCRYPTION_KEY=<your key> For example, if running MMC on Tomcat, you can modify the For more information on starting Mule with custom parameters, see Starting and Stopping Mule ESB. |
Note that if on a Unix or Unix-based system, you need to set execute permissions for encrypt.sh
to be able to run it.
How to apply execute permissions on Unix systems To set execute permissions for the
This will assign execute permissions for all users on the system. If you wish to assign permissions only for the owner of the file, use Note about Tomcat installations on some systems As a security measure, on some systems the Tomcat user is not allowed to run commands (the user’s login shell is set to
For more information on the |
When you run the script, it will show the encrypted password on standard output, as shown in the example below.
./encrypt.sh input="mmc123" password=DEFAULTPASS
Runtime: Sun Microsystems Inc. OpenJDK 64-Bit Server VM 20.0-b12
input: mmc123
Copy the encrypted output (the last line displayed above) and store it in a convenient location, such as a text file of your choosing. You will need to copy this value to the appropriate configuration file, as explained in the next section.
For more information about encrypt.sh
, including other usage examples, see Jasypt’s CLI Tools page.
Modifying the Configuration File
Determining Which File to Modify
MMC stores passwords in the files and directories listed below:
Databases for persistent and tracking data:
The databases
directory contains one configuration file per supported database engine (see note below). There are two types of configuration files:
Files for supported database engines to store MMC persistent data (created alerts, deployments, etc.) These files are named in the format
mmc-<database engine name>.properties
. For example,mmc-postgres.properties
. -
Files for supported database engines to store transaction data (Business Events). These files are named in the format
tracking-persistence-<database engine name>.properties
. For example,tracking-persistence-postgres.properties
Complete listing of the databases directory:
By default, MMC stores persistent and transaction data on internal databases. However, you can store this data on external databases (see Persisting MMC Data On External Databases for details and supported database servers). If you are using MMC’s internal databases, in order to encrypt your password you will need to modify the following configuration files:
Modifying the File
For each file that you need to modify, open it and locate one of the following lines, according to the type of data whose password you wish to encrypt:
For the persistent data password:
For the transaction data password:
For the LDAP password:
Comment the line by adding a hash symbol (#) to the beginning of the line, for example:
# env.password=mmc123
Add a new line with the variable declaration (in this example, env.password
for the password for environment data) and the encoded value of your password in the following format:
ENC("<your encoded password>")
For example:
Examples of File Selections
Encrypting the password for tracking data stored on MMC’s default tracking database: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/databases/tracking-persistence-h2.properties
(parameter mmc.tracking.db.password
Encrypting the password for persistent data stored on MMC’s default persistent data database: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/databases/mmc-derby.properties
(parameter env.password
Encrypting the password for persistent data stored on an external Oracle database: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/databases/mmc-oracle.properties
(parameter env.password
Encrypting the password for LDAP: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/mmc-ldap.properties
(parameter password
See Also
Learn how to encrypt MMC User Passwords
Learn about persisting MMC Data On External Databases
Learn how to enable LDAP Authentication for MMC