Storing properties in encrypted format
When we configure MobileFirst applications on the server, we must encrypt the properties that are too sensitive to be written in clear text.
There are two ways to encrypt properties:
- Within the properties file: See Encryption within the properties file. This option is the only one for Tomcat.
- By using the application server encoding tools: PropFilePasswordEncoder for WAS and SecurityUtility for Liberty profile. For WAS and Liberty profile. See Encoding the JNDI properties
Encryption within the properties file
The encryption facility that comes with MPF uses the 128-bit symmetric-key algorithm defined by the AES specification.
- Storing properties in open or encrypted format
We can keep the properties contained in worklight.properties either in open or in encrypted form.
An encrypted property is determined by a suffix .enc appended to its name. For example:
console.password.enc=TYakEHRba3rIU7pNjxtDxoAdqijKIEt7cy4mCr0iaEj0rY08ODK00yqR
The MobileFirst configuration is accessed for a property. If the property is not found, but the same encrypted property (with the .enc suffix) is defined, MobileFirst automatically decrypts the value, and returns it to the caller.
- Storing the master key
All encrypted values use the same secret key, which is stored in the special variable called worklight_enc_password. This variable is defined as an operating-system environment variable:
- On Windows systems: Set an environment variable under the user that runsMobileFirst Server. Under a Windows NT service, define the password as a service property using the registry editor. See Microsoft support website.
- On Linux systems: Set the environment variable.
- Encryption
We can encrypt MobileFirst properties using the 128-bit symmetric-key algorithm defined by the AES specification.
- On Windows systems, use the encrypt.bat utility under MF_HOME/WorklightServer. This utility accepts a file containing the properties to be encrypted and the encryption password. The utility outputs the encrypted values to the same file, so that sensitive data is deleted.
- On Linux systems, use the encrypt.sh utility.
The input file for the encryption is called secret.properties and contains the following data:
worklight_enc_password=abc123 certificate.password=certificatepwd123 wl.db.password=edf545After you run the encrypt.sh tool, the secret.properties file contains the following data:
#Copy the contents of this file to worklight.properties. #Keep the password value in the secure system property worklight_enc_password. #Wed Nov 28 10:10:44 CST 2012 certificate.password.enc=dR4lnMQDaNEQyLQl7b2RmpdE99HKpqaSJ6mce0uJgaY\= wl.db.password.enc=6boxojGZsUNTXwOOGgI6dg\=\=
Encoding the JNDI properties
The preferred way to encrypt JNDI properties in WAS is to use the password encoding tools available with both application servers.
- For WAS: the PropFilePasswordEncoder tool
- For the Liberty profile: the SecurityUtility command
Use the encoded value as the value of the JNDI properties.
For more information about how to encode properties with the application server tools, see the WebSphere Application Server documentation.
Parent topic: Application server-side configuration parameters