WebStation Option Password Encryption

Document ID : KB000031371
Last Modified Date : 14/02/2018
Show Technical Document Details

This knowledge document (KD) describes how to use password encryption for generic login to WSO. This new functionality was introduced with RO68316.  

If an administrator of WSO wants to enable the Generic sign-on, WSO stores that password as plain text in the configuration file. This can cause potential breach of security and some organizations have strict policy against password in plain text and thus becomes difficult for them to use this feature. To make sure the feature can be enabled by administrator without compromising security, WSO now encrypts the password using its proprietary algorithm.                                                         
The ability to encrypt generic passwords sign on to WSO was introduced with RO68316. Prior to this introduction generic password could only be defined in plain text.
                                    
Encryption of Generic Password: 
                                              
Prior to solution R063816, Generic passwords were stored in plain text.  In RO68316, a new folder (encrdecrutility) contains the code required to do the encryption of a generic password.  Asymmetric encryption is used for generic password. This requires a public and private key pair. Normally these key pairs are stored in a keystore. Using the keytool executable shipped along with a JDK or JRE enables generation of a keystore containing public and private keys.    

Generation of Keystore File:

This describes the command used to generate the keystore containing public and private key pair:
                                                         
For example:    
                                                              
keytool -genkeypair -alias  "certId"  -keyalg RSA -keystore "C:\mykey3.jks"    
-storepass "password1" -keypass  "password2" 
                                 
      "-genkeypair" : option specifies to generate a key pair(public and       
                      private keys)                                            
      "-alias" : option is used to identify the public and private keys.       
                  This alias is used to retrieve public and private keys       
                  from the keystore.                                           
      "-keyalg" : option mentioned the algorithm used to generate key pair.    
      "-keystore" : option specify the location and name of the keystore.      
      "-storepass" : option specify the keystore password.                     
      "-keypass" : option specify the password to access private key.
         
You will be prompted for the following information:        
                   
    - "What is your first and last name?", press enter                         
    - "What is the name of your organizational unit?", press enter             
    - "What is the name of your Organization?", press enter                    
    - "What is the name of your city or locality?", press enter                
    - "What is the name of your State or Province?", press enter               
    - "What is the two-letter country code for this unit?", press enter        
    - Get a prompt, asking if what the user entered data is correct?           
       confirm, then type yes.   
                                             
After the execution of the command, a keystore file will be created at the location specified in the  -keystore  argument. This keystore file will be used for encryption of the generic password.    

Properties added to WsoServer.properties file:

In order to access public and private key from the keystore  the following parameters were added to the 'WsoServer.properties' file in RO68316:  
        
        "certificate.location" : specifies the fullpath location and name of   
                                 the keystore.                                 
        "keystore.password"  : specifies the password used to access           
                               keystore.  Value of this property will be same  
                               as mentioned for  -storepass  option in the     
                               Generate Keystore (section: Generation          
                               of Keystore file)command.                       
        "certificate.id"  : specifies the id of public and private             
                            key. Value of this property will be same as        
                            mentioned for  -alias  option in the Generate      
                            Keystore (section: Generation of Keystore file)    
                            command.                                           
        "certificate.password" : specifies the password used to access         
                                 private key from keystore file. Value of      
                                 this property will be same as mentioned       
                                 for  -keypass  option in the Generated        
                                 Keystore (section: Generation of Keystore     
                                 file) command.
                               
Contents of encrdecrutility folder:       
                                    
"encrdecrutility"  folder contains the files required for doing encryption of generic password, it contains the following files: 
                           
           "encryptGenericPass.jar" : file contains the code required to do    
                                      encryption of generic password.          
           "EncryptGenericPass.bat" : batch file contains the call to do       
                                      encryption in Windows operating system.  
           "commons-codec-1.4.jar" : file contains the code to do Base 64      
                                     encoding.                                 
           "EncryptGenericPass.sh" :  shell script file contains the call to   
                                      do encryption in Unix/Linux operating    
                                      system.               

                   
Execution of batch/shell script:
                                              
The batch shell script, EncryptGenericPass.sh for Linux/Unix and the EncryptGenericPass.bat for Windows, provided in the "encrdecrutility" folder is used for encryption of generic password.   

Find below a sample command to execute batch/shell script:                     
Note: In order to execute the script(s), you can either be in the "encrdecrutility" directory or you can explicitly define the full path.  In addition, the full path and name of the WsoServer.Properties file must be specified.                

C:\encrdecrutility> EncryptGenericPass.bat "c:\wso\WsoServer.properties"   

Upon successful encryption the following message will be received:             

Generic password in WSO property file has been encrypted successfully.  Published.

File Attachments:
TEC1083834.zip