Encrypting passwords for GM's datasources in jboss

Document ID : KB000018193
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The datasource xml files for GM store the password in plain-text when GM is installed on jboss. Here are steps on how to encrypt these.

Solution:

1.1 Encrypting GM Data Source Password

CA GM application uses four databases

  1. Eurekify_sdb : GM User, role, resource configuration database

  2. WPDS : GM Workpoint Workflow database

  3. Eurekify_Ticketdb : GM Ticket database

  4. Gvm_datawarehouse : GM Report Database

By default all DS configuration files are configured holding the database password in plain text. The org.jboss.resource.security.SecureIdentityLoginModule can be used to encrypt database passwords rather than using clear text passwords in the datasource configuration. JBoss uses a hard-coded password to encrypt/decrypt the datasource password when starting up.

High level steps to configure JBOSS to use encrypted Datasource password:

  1. Create policy for each datasource in login-config.xml file. The policy holds login module, UserName, encrypted password and Managedconnection parameter for each data source.

  2. Use this policy to use as a security domain in corresponding datasource configuration file.

    *These steps assume that MS SQL Server is being used for the GM databases.

    For the CA GM Application, the JBOSS Data Source XML configuration files are used to configure datasources. The Datasource configuration files names ends with suffix -ds.xml can be located under:

    D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\deploy\

    1. eurekify-ds.xml       :  DS configuration for eurekify_sdb and eurekify_ticketdb database2. reportdb-ds.xml       :  DS configuration for gvm_datawarehouse database3. wp-ds.xml             :  DS configuration for WPDS (Workpoint) database.


    The details for modifying these files are given below.

1.1.1 Encrypting data source password

  1. To encrypt the password using class execute following command on eurekify application server.

    cd D:\Program Files\CA\RCM\Server\eurekify-jboss
    java -cp client/jboss-logging-spi.jar;common/lib/jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule password
    Where "password" is the password value for DB user (CARCMUser)
    Tested for 12.5 SP 4-7 and 12.6.00
    Note: any leading dash "-" is part of the hash
    For example, the password of "password" encrypts to: 5dfc52b51bd35553df8592078de921bc
    CARCMUser: 738224e1394baf3bdf8592078de921bc

  2. Paste encrypted password value into each file as further explained below

1.1.2 Using Encrypted Datasource password for GM Databases

  1. Locate login-config.xml file under:

    D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\conf
    Or
    D:\jboss-5.1.0.GA\server\all\conf (for a cluster)

    Make a backup copy of the file and open for editing.

  2. Add the following policies to the end of login-config.xml configuration file and before </Policy> XML tag (the last line of the file).

    1. *Change Username (CARCMUser ) and Password Hash as needed in the xml below

    2. <module-option name="password">*********</module-optioname> tag for each database policy, since all 4 databases use the same DB account.

      For Convenience you can copy the following section:

      ----- start copy <!-- eurekify Database Password Encryption Policy --> <application-policy name="eurekify_SDB">   <authentication>              <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">                          <module-option name="username">CARCMUser</module-option>                           <module-option name="password">passwordhash</module-option>                           <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/eurekifyDS,service=LocalTxCM</module-option>               </login-module>   </authentication></application-policy> <application-policy name="eurekify_TicketDB">   <authentication>              <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">                          <module-option name="username">CARCMUser</module-option>                           <module-option name="password">passwordhash</module-option>                           <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/eurekifyTmsDS,service=LocalTxCM</module-option>               </login-module>   </authentication></application-policy> <application-policy name="eurekify_ReportDB">   <authentication>              <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">                          <module-option name="username">CARCMUser</module-option>                           <module-option name="password">passwordhash</module-option>                           <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/eurekifyReportdbDS,service=LocalTxCM</module-option>               </login-module>   </authentication></application-policy> <application-policy name="eurekify_WP">   <authentication>              <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">                          <module-option name="username">CARCMUser</module-option>                           <module-option name="password">passwordhash</module-option>                           <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/WPDS,service=LocalTxCM</module-option>               </login-module>   </authentication></application-policy> 

  3. Modify eurekify-ds.xml: In eurekify-ds.xml file

    1. Read this whole section before beginning these steps

    2. D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\deploy\

    3. comment User Name and Password XML tag

    4. remove the password from the comment

    5. add Security-Domain entry for eurekify_sdb and eurekify_ticketdb database.

      *Note: Remember to change the clear text password in the commented out sections. Also in any backed up copies of this file.

      For eurekify_sdb add the following line:
      <security-domain>eurekify_SDB</security-domain>

      For eurekify_ticketdb add the following line:

       <security-domain>eurekify_TicketDB</security-domain>    The eurekify-ds.xml file should look like the following:  ...<driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class><!-- <user-name>CARCMUser</user-name><password>password</password> 	--><security-domain>eurekify_SDB</security-domain>......<driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class><!-- <user-name>CARCMUser</user-name><password>password</password>" --><security-domain>eurekify_TicketDB</security-domain>...

      For example:

      Figure 1

  4. . Modify reportdb-ds.xml: In eurekify-reportdb.xml file,

    1. comment out the User Name and Password XML tag and

    2. add Security-Domain entry for eurekify_reportdb database.

       	<security-domain>eurekify_ReportDB</security-domain>    The reportdb-ds.xml file should look like the following:  ... <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class><!-- <user-name>CARCMUser</user-name><password>password</password> 	--><security-domain>eurekify_ReportDB</security-domain> 	...


  5. Modify wp-ds.xml: In wp-ds.xml file

    1. comment User Name and Password XML tag and

    2. add Security-Domain entry for WPDS database.

       <security-domain>eurekify_WP</security-domain>    The wp-ds.xml file should look like the following:  <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class><!- <user-name>CARCMUser</user-name><password>password</password> 	--><security-domain>eurekify_WP</security-domain>