This knowledge document (KD) describes how to use password encryption for generic login to WSO. This new functionality was introduced with RO68316.
If an administrator of WSO wants to enable the Generic sign-on, WSO stores that password as plain text in the configuration file. This can cause potential breach of security and some organizations have strict policy against password in plain text and thus becomes difficult for them to use this feature. To make sure the feature can be enabled by administrator without compromising security, WSO now encrypts the password using its proprietary algorithm.
The ability to encrypt generic passwords sign on to WSO was introduced with RO68316. Prior to this introduction generic password could only be defined in plain text.
Encryption of Generic Password:
Prior to solution R063816, Generic passwords were stored in plain text. In RO68316, a new folder (encrdecrutility) contains the code required to do the encryption of a generic password. Asymmetric encryption is used for generic password. This requires a public and private key pair. Normally these key pairs are stored in a keystore. Using the keytool executable shipped along with a JDK or JRE enables generation of a keystore containing public and private keys.
Generation of Keystore File:
This describes the command used to generate the keystore containing public and private key pair:
keytool -genkeypair -alias "certId" -keyalg RSA -keystore "C:\mykey3.jks"
-storepass "password1" -keypass "password2"
"-genkeypair" : option specifies to generate a key pair(public and
"-alias" : option is used to identify the public and private keys.
This alias is used to retrieve public and private keys
from the keystore.
"-keyalg" : option mentioned the algorithm used to generate key pair.
"-keystore" : option specify the location and name of the keystore.
"-storepass" : option specify the keystore password.
"-keypass" : option specify the password to access private key.
You will be prompted for the following information:
- "What is your first and last name?", press enter
- "What is the name of your organizational unit?", press enter
- "What is the name of your Organization?", press enter
- "What is the name of your city or locality?", press enter
- "What is the name of your State or Province?", press enter
- "What is the two-letter country code for this unit?", press enter
- Get a prompt, asking if what the user entered data is correct?
confirm, then type yes.
After the execution of the command, a keystore file will be created at the location specified in the -keystore argument. This keystore file will be used for encryption of the generic password.
Properties added to WsoServer.properties file:
In order to access public and private key from the keystore the following parameters were added to the 'WsoServer.properties' file in RO68316:
"certificate.location" : specifies the fullpath location and name of
"keystore.password" : specifies the password used to access
keystore. Value of this property will be same
as mentioned for -storepass option in the
Generate Keystore (section: Generation
of Keystore file)command.
"certificate.id" : specifies the id of public and private
key. Value of this property will be same as
mentioned for -alias option in the Generate
Keystore (section: Generation of Keystore file)
"certificate.password" : specifies the password used to access
private key from keystore file. Value of
this property will be same as mentioned
for -keypass option in the Generated
Keystore (section: Generation of Keystore
Contents of encrdecrutility folder:
"encrdecrutility" folder contains the files required for doing encryption of generic password, it contains the following files:
"encryptGenericPass.jar" : file contains the code required to do
encryption of generic password.
"EncryptGenericPass.bat" : batch file contains the call to do
encryption in Windows operating system.
"commons-codec-1.4.jar" : file contains the code to do Base 64
"EncryptGenericPass.sh" : shell script file contains the call to
do encryption in Unix/Linux operating
Execution of batch/shell script:
The batch shell script, EncryptGenericPass.sh for Linux/Unix and the EncryptGenericPass.bat for Windows, provided in the "encrdecrutility" folder is used for encryption of generic password.
Find below a sample command to execute batch/shell script:
Note: In order to execute the script(s), you can either be in the "encrdecrutility" directory or you can explicitly define the full path. In addition, the full path and name of the WsoServer.Properties file must be specified.
C:\encrdecrutility> EncryptGenericPass.bat "c:\wso\WsoServer.properties"
Upon successful encryption the following message will be received:
Generic password in WSO property file has been encrypted successfully. Published.