VERIFIED SOLUTION i
X

Encryption of Password in web.xml during the SSL implementation in Vault server

UPDATED: November 9, 2017


To configure encrypted passwords, follow these steps:
  • Decide on the size of key to use and the settings to encrypt
  • Create the external key
  • Configure the external key location
  • Encrypt each password
  • Write the encrypted passwords to the configuration files
  1. Planning - Vault supports either a 128-bit or a 256-bit AES encryption for passwords. The use of 256-bit keys is preferred and 128-bit should only be used where 256-bit keys cannot be accommodated. For example, if encrypted passwords are being used for Java components, using the 256-bit keys requires that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files be installed by the customer. If those are not available, use a 128-bit key. If you're using both, consider using a 128-bit key for the Java components and a 256-bit key for native components.
  2. Creating a key - The –create-key command takes the type of encryption as an argument. Use aes-128-cbc for 128-bit keys and aes-256-cbc for 256-bit keys. The default is aes-256-cbc.
           Windows:
           e2util --create-key aes-256-cbc > S:\secrets\vault-default-key.ini
           Unix:
           ./e2util --create-key aes-256.cbc > /secrets/vault-default-key.ini

           Within the generated key file, the section name indicates the name of the key (currently only default is supported).

           vault-default-key.ini
           [default]
           Type=aes-256-cbc
           Encoded=bcc0a9941780a587 ...20d933072112281b

       3. Setting the default key location - Once the external encryption key has been generated, the Vault processes need to be configured to read it.
For the native Vault processes such as e2loaderd and e2renderd, set the environment variable VAULT_DEFAULT_KEY to the full path of the external key.
On Windows, the environment variable can be set at the machine or user level (if a specific account is assigned to the service). It can be set using the Control Panel System applet, using the setx command, using the Powershell SetEnvironmentVariable command, and so on.

           Windows:
           setx /m VAULT_DEFAULT_KEY S:\secrets\vault-default-key.ini
Unix:
Best approach is to modify the script used to start and stop Vault. The following should be added in the same section where LD_LIBRARY_PATH is set. For example:

           /etc/init.d/vault
           VAULT_DEFAULT_KEY=/secrets/vault-default-key.ini; export
           VAULT_DEFAULT_KEY

           Setting the default key file for Java environments
For Java processes such as ServiceWeb2, E2VaultWS, Vault CMIS Connector, Vault REST Export and the Vault REST API for EngageOne Server, set the Java system property vault.default.key to the full path of the external key.

           As an example, for Apache Tomcat on Windows, create or modify the setenv.bat file to set the system property:

           bin\setenv.bat
           set “JAVA_OPTS=%JAVA_OPTS%
           -Dvault.default.key=S:\secrets\vault-default-key.ini”

       4. Creating a secret - 
           Once the external key has been generated, create encrypted versions of each password. This is done using the e2util program from the server directory.
           The -create-secret command takes the location of the external key as an argument.

           Windows
           e2util --create-secret S:\secrets\vault-default-key.ini
           Unix
           ./e2util --create-secret /secrets/vault-default-key.ini

           This will prompt for the password and print out the encrypted version.

           Enter password:
           {default:b4f311278a4db05d...d83069e11e184a24}
Encrypted values are surrounded with braces. The first field is the name of the key used to encrypt the data. This is currently always default. The second field is the value itself (initialization vector and ciphertext, hex encoded).

       5. ServiceWeb2 or E2VaultWS SSL passwords - 
Once the encrypted passwords have been generated, they need to be written into the configuration files in the same location where a plaintext password would have been.Configuration file is "ServiceWeb2\WEB-INF\web.xml"

           <context-param>
           <param-name>sslkeypassword</param-name>
           <param-value>{default;bc32919f8dc4d5fd…ae4b16c731065375}</param-value>
           </context-param>
           <context-param>
           <param-name>sslkeystorepath</param-name>
           <param-value>…</param-value>
           </context-param>
           <context-param>
           <param-name>sslkeystorepassword</param-name>
           <param-value>{default;28ea30e2b0728380…d913a60ebe04fe19}</param-value>
           </context-param>
           <context-param>
           <param-name>ssltruststorepath</param-name>
           <param-value>…</param-value>
           </context-param>
           <context-param>
           <param-name>ssltruststorepassword</param-name>
           <param-value>{default;bff2b136b31af9ba…86ad761d46dcb1dc}</param-value>
           </context-param>

 

Environment Details

Product Feature: Vault Server
 

Downloads

  • No Downloads