./encrypt.sh input=mypassword password=mykey algorithm=PBEWithMD5AndDES
Encrypting LDAP and Database Passwords in MMC
Enterprise Edition
The Management Console allows you to encrypt, out of the box, the following passwords used by MMC:
-
Database for environment data
-
Database for tracking data (Business Events)
-
LDAP password for MMC access to LDAP server
Previous versions of MMC required you to download an external library in order to encrypt the passwords, and to alter MMC configuration files in order to modify Java beans. In MMC, all you need to do is encrypt the password by running the provided script, and include the encrypted result in the relevant configuration file.
Assumptions
This document assumes that you are familiar with the basic Architecture of the Mule Management Console. It also assumes that you have installed MMC version 3.5.0. (Download it from the customer portal if you need to upgrade to this version.)
Overview
MMC stores passwords in configuration files, in plain text by default. In this scenario, an attacker with access to the filesystem where MMC resides could easily read the stored passwords. Encrypting the passwords allows you to avoid this security risk.
MMC uses the Jasypt encryption library for password encryption. You encrypt your password by running a script included in the MMC installation, as explained below.
Encrypting the Password
To encrypt the password, run the appropriate script in your system’s terminal:
-
Unix:
<MMC_HOME>/encrypt/encrypt.sh
-
Windows:
<MMC_HOME>\encrypt\encrypt.bat
The script accepts several parameters, in the form <parameter>=<value>
.
Script parameter | Description |
---|---|
|
The value to encrypt. This is the actual LDAP or database password you wish to encrypt. |
|
The string used for encrypting |
|
(Optional.) The algorithm to use for encryption. |
Example
MMC uses -DMMC_ENCRYPTION_KEY=<your key> For example, if running MMC on Tomcat, you can modify the For more information on starting Mule with custom parameters, see Starting and Stopping Mule. |
Note that if on a Unix or Unix-based system, you need to set execute permissions for encrypt.sh
to be able to run it.
How to apply execute permissions on Unix systems To set execute permissions for the
chmod a+x <path to file>encrypt.sh This will assign execute permissions for all users on the system. If you wish to assign permissions only for the owner of the file, use Note about Tomcat installations on some systems As a security measure, on some systems the Tomcat user is not allowed to run commands (the user’s login shell is set to
For more information on the |
When you run the script, it will show the encrypted password on standard output, as shown in the example below.
./encrypt.sh input="mmc123" password=DEFAULTPASS
----ENVIRONMENT-----------------
Runtime: Sun Microsystems Inc. OpenJDK 64-Bit Server VM 20.0-b12
----ARGUMENTS-------------------
input: mmc123
password: DEFAULTPASS
----OUTPUT----------------------
kB0xirnPDlRXeCcHUjP7NQ==
Copy the encrypted output (the last line displayed above) and store it in a convenient location, such as a text file of your choosing. You will need to copy this value to the appropriate configuration file, as explained in the next section.
For more information about encrypt.sh
, including other usage examples, see Jasypt’s CLI Tools page.
Modifying the Configuration File
Determining Which File to Modify
MMC stores passwords in the files and directories listed below:
LDAP:
<MMC_HOME>/WEB-INF/classes/META-INF/mmc-ldap.properties
Databases for persistent and tracking data:
<MMC_HOME>/WEB-INF/classes/META-INF/databases
The databases
directory contains one configuration file per supported database engine (see note below). There are two types of configuration files:
-
Files for supported database engines to store MMC persistent data (created alerts, deployments, etc.) These files are named in the format
mmc-<database engine name>.properties
. For example,mmc-postgres.properties
. -
Files for supported database engines to store transaction data (Business Events). These files are named in the format
tracking-persistence-<database engine name>.properties
. For example,tracking-persistence-postgres.properties
.
Click to see a complete listing of the databases directory
mmc-db2.properties
mmc-derby.properties
mmc-mssql.properties
mmc-mysql.properties
mmc-oracle.properties
mmc-postgres.properties
tracking-persistence-db2.properties
tracking-persistence-h2.properties
tracking-persistence-mssql.properties
tracking-persistence-mysql.properties
tracking-persistence-oracle.properties
tracking-persistence-postgres.properties
By default, MMC stores persistent and transaction data on internal databases. However, you can store this data on external databases (see Persisting MMC Data On External Databases for details and supported database servers). If you are using MMC’s internal databases, in order to encrypt your password you will need to modify the following configuration files:
|
Modifying the File
For each file that you need to modify, open it and locate one of the following lines, according to the type of data whose password you wish to encrypt:
For the persistent data password:
env.password=mmc123
For the transaction data password:
mmc.tracking.db.password=mmc123
For the LDAP password:
password=mmc123
Comment the line by adding a hash symbol (#) to the beginning of the line, for example:
# env.password=mmc123
Add a new line with the variable declaration (in this example, env.password
for the password for environment data) and the encoded value of your password in the following format:
ENC("<your encoded password>")
For example:
env.password=ENC("kB0xirnPDlRXeCcHUjP7NQ==")
Examples of File Selections
Encrypting the password for tracking data stored on MMC’s default tracking database: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/databases/tracking-persistence-h2.properties
(parameter mmc.tracking.db.password
).
Encrypting the password for persistent data stored on MMC’s default persistent data database: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/databases/mmc-derby.properties
(parameter env.password
).
Encrypting the password for persistent data stored on an external Oracle database: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/databases/mmc-oracle.properties
(parameter env.password
).
Encrypting the password for LDAP: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/``mmc-ldap.properties `(parameter `password
).
See Also
-
Learn how to encrypt MMC User Passwords
-
Learn about persisting MMC Data On External Databases
-
Learn how to enable LDAP Authentication for MMC