Symantec IGA

 View Only
  • 1.  How to encrypt passwords for GM datasources over jboss

    Posted Jun 10, 2014 10:01 AM

    The datasource xml files for GM store the password in plain-text when GM is installed on jboss. Here are steps on how to encrypt these.

    1.1     Encrypting GM Data Source Password

     

    CA GM application uses four databases

    1.      Eurekify_sdb                  : GM User, role, resource configuration database

    2.      WPDS                             : GM Workpoint Workflow database

    3.      Eurekify_Ticketdb          : GM Ticket database

    4.      Gvm_datawarehouse       : GM Report Database

     

     

     

    By default all DS configuration files are configured holding the database password in plain text. The org.jboss.resource.security.SecureIdentityLoginModule can be used to encrypt database passwords rather than using clear text passwords in the datasource configuration. JBoss uses a hard-coded password to encrypt/decrypt the datasource password when starting up.

     

     

    High level steps to configure JBOSS to use encrypted Datasource password:

     

    1.      Create policy for each datasource in login-config.xml file. The policy holds login module, UserName, encrypted password and Managedconnection parameter for each data source.

     

    2.      Use this policy to use as a security domain in corresponding datasource configuration file.

     

    *These steps assume that  MS SQL Server is being used for the GM databases.

    For the CA GM Application, the JBOSS Data Source XML configuration files are used to configure datasources. The Datasource configuration files names ends with suffix *-ds.xml can be located under:

     

    D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\deploy\

     

    1.             eurekify-ds.xml                       :  DS configuration for eurekify_sdb and eurekify_ticketdb database

    2.             reportdb-ds.xml       :  DS configuration for gvm_datawarehouse database

    3.             wp-ds.xml                               :  DS configuration for WPDS (Workpoint) database.

     

                The details for modifying these files are given below.

     

     

    1.1.1        Encrypting data source password

     

    1.      To encrypt the password using class execute following command on eurekify application server.

     

     

    cd D:\Program Files\CA\RCM\Server\eurekify-jboss

     

    java -cp client/jboss-logging-spi.jar;common/lib/jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule  password

     

    Where “password”  is the password value for DB user (CARCMUser)

     

    Tested for 12.5 SP 4-7 and 12.6.00

     

    Note:  any leading dash “-“ is part of the hash

    For example, the password of “password” encrypts to:  5dfc52b51bd35553df8592078de921bc

     

    CARCMUser:  738224e1394baf3bdf8592078de921bc

             

     

    2.      Paste encrypted password value into each file as further explained below

     


     

     

    1.1.2    Using Encrypted Datasource password for GM Databases

     

    1.      Locate login-config.xml file under:

    D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\conf

    Or

    D:\jboss-5.1.0.GA\server\all\conf   (for a cluster)

     

    Make a backup copy of the file and open for editing.

     

    2.      Add the following policies to the end of login-config.xml configuration file and before </Policy> XML tag (the last line of the file).

    a.       * Change Username (CARCMUser ) and Password Hash as needed in the xml below

    b.      <module-option name="password">*********</module-optioname>  tag for each database policy, since all 4 databases use the same DB account.

     

    For Convenience you can copy the following section:

    ----- start copy

     

    <!-- eurekify Database Password Encryption Policy -->

     

    <application-policy name="eurekify_SDB">

       <authentication>

                  <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">

                              <module-option name="username">CARCMUser</module-option>

                               <module-option name="password">passwordhash</module-option>

                               <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/eurekifyDS,service=LocalTxCM</module-option>

                   </login-module>

       </authentication>

    </application-policy>

     

    <application-policy name="eurekify_TicketDB">

       <authentication>

                  <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">

                              <module-option name="username">CARCMUser</module-option>

                               <module-option name="password">passwordhash</module-option>

                               <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/eurekifyTmsDS,service=LocalTxCM</module-option>

                   </login-module>

       </authentication>

    </application-policy>

     

    <application-policy name="eurekify_ReportDB">

       <authentication>

                  <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">

                              <module-option name="username">CARCMUser</module-option>

                               <module-option name="password">passwordhash</module-option>

                               <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/eurekifyReportdbDS,service=LocalTxCM</module-option>

                   </login-module>

       </authentication>

    </application-policy>

     

    <application-policy name="eurekify_WP">

       <authentication>

                  <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">

                              <module-option name="username">CARCMUser</module-option>

                               <module-option name="password">passwordhash</module-option>

                               <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/WPDS,service=LocalTxCM</module-option>

                   </login-module>

       </authentication>

    </application-policy>

    3.      Modify eurekify-ds.xml: In eurekify-ds.xml file

    a.       Read this whole section before beginning these steps

    b.      D:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\deploy\

    c.       comment User Name and Password XML tag

    d.      remove the password from the comment

    e.       add Security–Domain entry for eurekify_sdb and eurekify_ticketdb database.

     

    *Note:  Remember to change the clear text password in the commented out sections.  Also in any backed up copies of this file.

     

    For eurekify_sdb add the following line:

    <security-domain>eurekify_SDB</security-domain>

     

    For eurekify_ticketdb add the following line:

    <security-domain>eurekify_TicketDB</security-domain>

     

    The eurekify-ds.xml file should look like the following:

     

             <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class>

    <!--

             <user-name>CARCMUser</user-name>

             <password>password</password>

    -->

                    <security-domain>eurekify_SDB</security-domain>

     

             <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class>

    <!--

             <user-name>CARCMUser</user-name>

             <password>password</password>

    -->

                    <security-domain>eurekify_TicketDB</security-domain>

     

     

    For example:

     

     

     

    4.      Modify reportdb-ds.xml: In eurekify-reportdb.xml file,

    a.       comment out the User Name and Password XML tag and

    b.      add  Security–Domain entry for eurekify_reportdb database.

    <security-domain>eurekify_ReportDB</security-domain>

     

    The reportdb-ds.xml file should look like the following:

     

     

                            <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class>

                <!--      <user-name>CARCMUser</user-name>

                            <password>password</password>

                -->

                            <security-domain>eurekify_ReportDB</security-domain>

     

     

     

    5.      Modify wp-ds.xml: In wp-ds.xml file

    a.       comment User Name and Password XML tag and

    b.      add Security–Domain entry for WPDS database.

    <security-domain>eurekify_WP</security-domain>

     

    The wp-ds.xml file should look like the following:

     

     

    <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class>

    <!—

                <user-name>CARCMUser</user-name>

    <password>password</password>

    -->

    <security-domain>eurekify_WP</security-domain>



  • 2.  Re: How to encrypt passwords for GM datasources over jboss

    Posted Sep 11, 2018 03:41 PM

    Update for IG r14.x release.    All datasource encryption is now in one configuration file for JBOSS/Wildlfy.

     

    Update the Identity Governance Datasource Password Encryption