Concept - DB Password Encryption (7.4 - 7.4 CI)

Product Version

7.4

Product To Version

7.4.6

Status

final

1 Introduction

The content of the present cooncept applies for the versions 7.4 and 7.4 CI.

If using IS 7.4.6.1 or IS 7.4.6.2 you can use the information outlined below. In addition, you have to ensure that the according files are excluded from any re-deployment. See Recipe: Keep Local Modifications in Cookbook - Gradle Deployment Tools (7.4 CI - ICM 7.7) for more detailed information on how to do this.

Be aware that IS 7.4.6.3 or later comes with Gradle Tools 2.0 which provides a new workflow. Please see Recipe: Encrypt Database Password in Cookbook - Gradle Deployment Tools (7.4 CI - ICM 7.7) for more detailed information on how to use Gradle Tools 2.0 for DB password encryption.

The password that is used for connecting the Intershop 7 application with an Oracle database is stored in the IS_SHARE/system/config/cluster/orm.properties file. This is the default location though it is possible to change it. The password might be stored as a plain text:

orm.properties
intershop.jdbc.user=INTERSHOP
intershop.jdbc.password=intershop

For some customers this is not satisfactory since it does not match against the list with good practices. Thus there is another option, namely to store the password encrypted:

orm.properties
intershop.jdbc.user=INTERSHOP
intershop.jdbc.password.encrypted=true
intershop.jdbc.password=standard@PBEWithMD5AndTripleDES:018Hal0LdnE=|ySHZl0aUnYOvM++n4Q1hNA==

Note

This approach does not provide unlimited security since the key to decrypt the encrypted password is also stored in the shared files system even though it is obfuscated. Anyone that has access to this key and is educated about the internals of the application server will be able to decrypt the password too. On the other hand, dealing with encrypted passwords has performance cost.

2 Password Decryption

For password decryption the standard encryption library shipped with IS7 is used. The following schema illustrates the high level details of the decryption process.

Decryption process
  • The IS7 component (the app server, an ant task, a separate tool, etc) requires the database password from the configuration framework;
  • The configuration framework knows that the password is encrypted and attempts to decrypt it by using the standard encryption library;
  • The encryption library retrieves the obfuscated key for the keystore from the shared file system;
  • The encryption library deobfuscates the key for the keystore and retrieves the key which is used to encrypt the password;
  • The encryption library decrypts the password and returns it to the configuration framework;
  • The configuration framework returns the key to the IS7 component;

The default schema used by the encryption lib is PBEWithMD5AndTripleDES. The password for it is derived based on the key in the key store.

Note

Every password derivation is salted with a securely generated random sequence. This provides semantic security. The triple DES runs in CBC mode.

3 Configurations

The features of the configuration framework are used to decrypt the database password. Thus the decryption process will be transparent for any tool that uses the framework to read configurations. A special reader and finder are implemented and shipped with the core cartridge that handle the password encryption. These are configured in the central configuration file located in IS_SHARE\system\config\cluster\configuration.xml.

<?xml version="1.0" encoding="UTF-8"?>
<configuration-setup>
	...
  	<readers>
		...
		<reader class="com.intershop.beehive.core.internal.configuration.reader.ConfigurationPasswordReader"/>
	</readers>

	...
  	<finders>
		...
		<finder name="password" class="com.intershop.beehive.core.internal.configuration.finder.ConfigurationPasswordFileFinder" />
  	</finders>

	...
  	<sets>
		...
		<set finder="password" scope="cluster,server,domain" required="true" fileName="${IS_SHARE}/system/config/cluster/orm.properties" />
		...
	</sets>
	...
</configuration-setup>

Some external tools shipped with the product are adjusted to use the configuration framework. The ant scripts in IS_HOME/tools/misc use a special task that will decrypt the password. These scripts still do not utilize the configuration framework completely.

4 Password Encryption Tool

A small tool has been shipped in IS_SHARE/tools/misc. The system administrator may use it to generate an encrypted password and then copy and paste it into orm.properties. Example:

ES2|d:\eserver2\tools\misc>ant -Dpassword=intershop pwd-encrypt

Buildfile: d:\eserver2\tools\misc\build.xml

build.environment:

pwd-encrypt:

password.environment:

pwdencrypt:
     [echo] The encrypted password is: standard@PBEWithMD5AndTripleDES:xmgbyJN/vlg=|1JTy1iId+jzt7s6l0xMQMw==

BUILD SUCCESSFUL
Total time: 4 seconds
ES2|d:\eserver2\tools\misc>

Here the plain text password is intershop while the encrypted is standard@PBEWithMD5AndTripleDES:xmgbyJN/vlg=|1JTy1iId+jzt7s6l0xMQMw==. The encrypted password can be saved in orm.properties.

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Support Tickets