This tutorial deals with the steps on how to encrypt the plain text passwords in the Ephesoft files to increase security of the application.
- We manually have to replace the plain text passwords in the Ephesoft configuration files with the Encrypted password that gets generated with the Password Encryption Utility.
- The passwords can be encrypted in server.xml file(database passwords & LDAP / AD connection password), dcma-ftp properties file, user-connectivity file, etl-properties file under dcma-reporting, as well as the applicationContext-security.xml file (if using SAML SSO).
- Username’s can also be encrypted in a similar way.
- The encryption mechanism is similar for almost all the version, this tutorial largely focuses on the ephesoft versions above 4060 for both Windows & Linux Environment.
Security, Encryption & Decryption
Steps to Encrypt the passwords:
- Run the Encryptor.sh / Encryptor.bat (Ephesoft\Application\native\encryption) where it will ask for plain text password and will convert it into encrypted text. Just make a note of all the encrypted passwords in a text file that needs to be replaced with the plain text in the configuration files.
- The location where you will need to change the plain text password is server.xml, user-connectivity(dcma-user-connectivity), etl-properties(dcma-reporting), ftp.properties(dcma-ftp) file.
- Open the dcma-encryption.properties file (Ephesoft\Application\WEB-INF\classes\META-INF\dcma-encryption) and set the value for password.use_encryption & password.encrypt to true.
- If using LDAP & AD password Encryption in server.xml
a. Add a comment to <Realm className=”org.apache.catalina.realm.UserDatabaseRealm” resourceName=”UserDatabase”/>
b. In the realm settings change the value in the Realm Class name from org.apache.catalina.realm.JNDIRealm to <Realm className=”com.ephesoft.realm.EphesoftRealm“/>
c. Use the encrypted password generated for connectionPassword property when you configure AD in server.xml file.
- If using Database Password encryption in server.xml
a. Change the factory attribute in the Resource tag to “com.zaxxer.hikari.encryption.EncryptedHikariJNDIFactory” and provide the encrypted password in the datasource.password attribute that was generated.
Note: To ensure successful DB connection, all Oracle DB passwords in server.xml have to be enclosed in quotes (e.g. dataSource.password=”"Passw0rd"”). When using Encryptor, make sure to provide only the password, without the double quotes (e.g. Passw0rd).
- Along with these changes, make sure to change the password parameter in dcma-ftp since by default we use *(asterik) in password property which may cause an error and if not using ftp also you can use any encrypted password over here.
- Make a final username and password change in etl-variables.properties file (Ephesoft\Application\WEB-INF\classes\META-INF\dcma-reporting). Note that here it is important to encrypt both ephesoft.loginusername and ephesoft.loginpassword.
- Once all these plain text passwords are replaced you can go ahead and restart the service.