wso2: Encrypting ConnectionPassword property for secondary userstore

2
votes

I am new to wso2 so hopefully I am not missing something obvious but we are trying to sucessfully encrypt the Connection password for a seoncary user store (\repository\deployment\server\userstores\domain.xml) and have it remain usable.

We have used the cipher tool for all our other secret information and have no issues. I have also used the cipher-tool.properties to set up a refence to the secondary user store file and got the connection password encrypted running ciphertool.bat -Dconfigure.

At that point I restart the service and viewing the logs I recieve the following error and none of my secondary user store users are available. AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0

I have double checked that the value I am encrypting is infact correct. As soon as I change it back to clear text password it works agian.

Do I have to create a custom UserStoreManager in order to acheive this?

2
wso2wso2is
Just downloaded the new wso2greg-5.0.0 which is based on Carbon 4.4 as opposed to 4.2 and it looks like it is encrypting the ConnectionPassword for a secondary userstore now out of the box with no configuration changes required. Would still like to find a solution for 4.2 since the latest release for 4 of the 5 products we use are still based on 4.2.jchaplin

2 Answers

1
votes

Please try setting the alias of the property as "UserStoreManager.Property.ConnectionPassword" both in cipher-tool.properties and cipher-text.properties files.

In cipher-tool.properties

UserStoreManager.Property.ConnectionPassword=../../deployment/server/userstores/prudential.xml//UserStoreManager/Property[@name='ConnectionPassword'], true

In cipher-text.properties

UserStoreManager.Property.ConnectionPassword=[your password]

Run the cipher tool again with -Dconfigure and check.

0
votes

The cipher tool cannot be used to encrypt Secondary User Store connection passwords. Instead, If you are manually adding a Secondary User Store Configuration file to

<Product_Home>/repository/deployment/server/userstores

directory, you can use the following steps to easily encrypt it.

Step 1 :

Create the Secondary User Store Configuration xml file and remove the “encrypted” attribute present in the relevant property for Connection Password as follows. Note that the password is in plain text.

<Property name=”ConnectionPassword”>admin</Property>

Step 2 :

Now rename the xml file to have a file extension of .enc as shown below. If the name of the xml file is xyz_com.xml, rename it to

xyz_com.enc

Step 3 :

Drop the .enc file to /repository/deployment/server/userstores directory. Remember to create the “userstores” directory if it is not present.

That is all you have to do. Now you can see that the dropped file has been renamed to an xml file automatically, and when you check the file contents, the “ConnectionPassword” property has been encrypted as shown below. Note the property encrypted=“true” added to the property automatically.

<Property name=”ConnectionPassword” encrypted=”true”>eyJjIjoiTUlETUFuNEJIdjUweWNFeWQ5UThjNGx1ZTExa0NOLzJZbVExTWI3d3djRkZBUnplWmVHSXdzdFNwMTlQdmtjYjdZWHhFejdtOTJhbFFONTRKT3lIczcwNnl1WW9VaHh4d1Zmci9IL3ExWUlOOVowNERvbEZ0aExiNWRnQkhkU3luUWtxVElBc3Jydys5eEVUV1RvU3MyTTgrS0xlWkhtZW12dE1BZFRoTXVIUm9ndEJnWmVvaUxxNDAxQjk1dDgrOUd1eHN0RXE5N0R3TndwZmRlWnpnRk1VMnBEWmthMGFLckdhcTAxTlpLK1kxdG1YMWFhSlJyOGtXMlpRQW1pUm1UV1lZR0g1ZGg1OVNuV21tTzgrMW9lSFJMUU02RjdKT1dSd21xclhWdTg5aTByYWtqMk41cnJ4WGgvaGRmbVk4cmg3VkkwZkJ4M3E1eEN3YjdYRlJnXHUwMDNkXHUwMDNkIiwidCI6IlJTQS9FQ0IvT0FFUHdpdGhTSEExYW5kTUdGMVBhZGRpbmciLCJ0cCI6IjUwMUZDMTQzMkQ4NzE1NURDNDMxMzgyQUVCODQzRUQ1NThBRDYxQjEiLCJ0cGQiOiJTSEEtMSJ9</Property>

You don’t need to restart the server for these changes to be reflected. The file gets hot deployed.

You can find more information regarding encrypting Secondary User Store passwords from this article.