How can I secure passwords for DXmanager users in DXwebserver (Tomcat) which are in clear text?

Document ID : KB000025555
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When you install DXmanager and set the password for the superuser, by default this password is stored in clear text in DXWEBHOME/conf/tomcat-users.xml Using the following method you can store digested passwords instead of clear text in the tomcat-users.xml file.

This has been addressed in later later release of DXwebserver/DXmanager but if you do get into hashing problem, you can still follow this doc to regenerate the password. For this, you only need to follow (1) and (2) below.

Solution:

Example

You have installed DXmanager on your machine and have set the DXmanager superuser password to "secret" and want to store this password as a digested password instead of clear text in tomcat-users.xml file.

  1. On a command prompt run the following command to digest password "secret" using the SHA algorithm

    Windows
    % java -classpath "%DXWEBHOME%\lib\*;%DXWEBHOME%\bin\*" org.apache.catalina.realm.RealmBase -a SHA-512 secret

    Unix (Execute as user "dsa")
    % java -classpath "$DXWEBHOME/lib/*:$DXWEBHOME/bin/*" org.apache.catalina.realm.RealmBase -a SHA-512 secret

    Command output
    secret:4c734fe754915f5f3ded2ccd975ff86e13364f0a7b48091baf0c5a51961fe3be$1$5eae416068b6c92f6bfb56379f85f1b4b86b983a5461628cfdd8a2a79a2a93b56801fc59e031fab96a53d9eb448e99f1a7dc8ffad6df7c39d4b2a0cc1b693988


  2. Edit DXWEBHOME/conf/tomcat-users.xml file and change the following line:

    <user username="dxmanager" password="secret" roles="dxmanagerSuperUser"/>

    to

    <user username="dxmanager" password="4c734fe754915f5f3ded2ccd975ff86e13364f0a7b48091baf0c5a51961fe3be$1$5eae416068b6c92f6bfb56379f85f1b4b86b983a5461628cfdd8a2a79a2a93b56801fc59e031fab96a53d9eb448e99f1a7dc8ffad6df7c39d4b2a0cc1b693988" roles="dxmanagerSuperUser"/>

    NOTE: You need to only paste the text after "secret:" above obtained in step 1.

  3. Edit DXWEBHOME/conf/server.xml file and change the following line:

    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>

    to

    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="SHA-512"/>

  4. Restart your DXwebserver.

    Windows
    Stop and start "CA Directory Webserver" via windows service manager.

    Unix (Execute as user "dsa")
    % dxwebserver stop
    % dxwebserver start

  5. Open a supported browser and connect to the following URL:
    https://HOSTNAME:8443/dxmanager/

    NOTE: Replace HOSTNAME with the machine name where DXmanager is installed (eg. winxp-123)

  6. On the login screen enter username (default is dxmanager) and password "secret".

  7. Click on "Log in".

You should now have successfully logged in DXmanager. This proves that the digested password is now being used by the webserver instead of the clear text password.