Storing properties in encrypted format
When you configure MobileFirst applications on the server, you must encrypt the properties that are too sensitive to be written in clear text.
You can encrypt properties in two ways:
- Within the properties file: See Encryption within the properties file. This option is the only one for Tomcat.
- By using the application server encoding tools: PropFilePasswordEncoder for WebSphere® Application Server and SecurityUtility for Liberty profile. For WebSphere Application Server and Liberty profile. See Encoding the JNDI properties.
Encryption within the properties file
The encryption facility that comes with IBM MobileFirst™ Platform Foundation uses the 128-bit symmetric-key algorithm that is defined by the AES specification.- Storing properties in open or encrypted format
You can keep the properties that are contained in the worklight.properties file either in open or in encrypted form.
An encrypted property is determined by a suffix .enc appended to its name. For example:console.password.enc=TYakEHRba3rIU7pNjxtDxoAdqijKIEt7cy4mCr0iaEj0rY08ODK00yqR
The MobileFirst configuration is accessed for a property. If the property is not found, but the same encrypted property (with the .enc suffix) is defined, MobileFirst automatically decrypts the value, and returns it to the caller.
- Storing the master key
- All encrypted values use the same secret key, which is stored in the special variable called worklight_enc_password. This variable is defined as an operating-system environment variable:
- On Windows systems: Set an environment variable under the user that runsMobileFirst Server. Under a Windows NT service, define the password as a service property by using the registry editor. For more information, see the Microsoft support website.
- On Linux systems: Set the environment variable.
- Encryption
- You can encrypt MobileFirst properties by using the 128-bit symmetric-key algorithm that is defined by the AES specification.
- On Windows systems, use the encrypt.bat utility under product_install_dir/WorklightServer. This utility accepts a file that contains the properties to be encrypted and the encryption password. The utility outputs the encrypted values to the same file, so that sensitive data is deleted.
- On Linux systems, use the encrypt.sh utility.
The input file for the encryption is called secret.properties and contains the following data:worklight_enc_password=abc123 certificate.password=certificatepwd123 wl.db.password=edf545
After you run the encrypt.sh tool, the secret.properties file contains the following data:#Copy the contents of this file to the worklight.properties file. #Keep the password value in the secure system property worklight_enc_password. #Wed Nov 28 10:10:44 CST 2012 certificate.password.enc=dR4lnMQDaNEQyLQl7b2RmpdE99HKpqaSJ6mce0uJgaY\= wl.db.password.enc=6boxojGZsUNTXwOOGgI6dg\=\=
Encoding the JNDI properties
The preferred way to encrypt JNDI properties
in WebSphere Application Server is
to use the password encoding tools that are available with both application
servers.
- For WebSphere Application Server: the PropFilePasswordEncoder tool
- For the Liberty profile: the SecurityUtility command. For the encoding type, only xor and aes with the default key are supported.
You can use the encoded value as the value of the JNDI properties.
For more information about how to encode properties with the application server tools, see the WebSphere Application Server documentation.