+

Search Tips   |   Advanced Search

Storing properties in encrypted format

When we configure MobileFirst applications on the server, we must encrypt the properties that are too sensitive to be written in clear text.

There are two ways to encrypt properties:


Encryption within the properties file

The encryption facility that comes with MPF uses the 128-bit symmetric-key algorithm defined by the AES specification.

Storing properties in open or encrypted format

We can keep the properties contained in worklight.properties either in open or in encrypted form.

An encrypted property is determined by a suffix .enc appended to its name. For example:

    console.password.enc=TYakEHRba3rIU7pNjxtDxoAdqijKIEt7cy4mCr0iaEj0rY08ODK00yqR

The MobileFirst configuration is accessed for a property. If the property is not found, but the same encrypted property (with the .enc suffix) is defined, MobileFirst automatically decrypts the value, and returns it to the caller.

Storing the master key

All encrypted values use the same secret key, which is stored in the special variable called worklight_enc_password. This variable is defined as an operating-system environment variable:

  • On Windows systems: Set an environment variable under the user that runsMobileFirst Server. Under a Windows NT service, define the password as a service property using the registry editor. See Microsoft support website.

  • On Linux systems: Set the environment variable.

Encryption

We can encrypt MobileFirst properties using the 128-bit symmetric-key algorithm defined by the AES specification.

  • On Windows systems, use the encrypt.bat utility under MF_HOME/WorklightServer. This utility accepts a file containing the properties to be encrypted and the encryption password. The utility outputs the encrypted values to the same file, so that sensitive data is deleted.

  • On Linux systems, use the encrypt.sh utility.

The input file for the encryption is called secret.properties and contains the following data:

worklight_enc_password=abc123
certificate.password=certificatepwd123
wl.db.password=edf545

After you run the encrypt.sh tool, the secret.properties file contains the following data:

#Copy the contents of this file to worklight.properties.
#Keep the password value in the secure system property worklight_enc_password.
#Wed Nov 28 10:10:44 CST 2012
certificate.password.enc=dR4lnMQDaNEQyLQl7b2RmpdE99HKpqaSJ6mce0uJgaY\=
wl.db.password.enc=6boxojGZsUNTXwOOGgI6dg\=\=


Encoding the JNDI properties

The preferred way to encrypt JNDI properties in WAS is to use the password encoding tools available with both application servers.

Use the encoded value as the value of the JNDI properties.

For more information about how to encode properties with the application server tools, see the WebSphere Application Server documentation.


Parent topic: Application server-side configuration parameters