Steps to encrypt database passwords in the standalone-full-ca-gm.xml file.

book

Article ID: 197616

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

After installing Identity Governance, I notice the password in file \Server\eurekify-jboss\standalone\configuration\standalone-full-ca-gm.xml is in cleartext:


               <datasource jta="true" jndi-name="java:/jdbc/eurekifyDS" pool-name="eurekifyDS" enabled="true" use-java-context="false" use-ccm="true">
                    <connection-url>jdbc:sqlserver://SQLHost:1433;databaseName=eurekify_sdb</connection-url>
                    <driver>sqlserver</driver>
                    <pool>
                        <min-pool-size>30</min-pool-size>
                        <max-pool-size>60</max-pool-size>
                        <prefill>false</prefill>
                        <use-strict-min>false</use-strict-min>
                        <flush-strategy>FailingConnectionOnly</flush-strategy>
                    </pool>
                    <security>
                        <user-name>sa</user-name>
                        <password>[email protected]</password>
                    </security>
 

How can we encrypt these values to remove the clear text passwords?

Environment

Release : 14.3

Component : Governance Minder(Role & Compliance Manager)

Resolution

To encrypt these passwords manually:

Before going through these steps please backup the \CA\RCM\Server\eurekify-jboss\standalone\configuration\standalone-full-ca-gm.xml (or standalone-full-ha-gm.xml for clustered environments) outside the configuration folder.

1.> Used pwdtools to encrypt your password.
Specific details on using pwdtools can be found in the documentation for Governance here, and Identity Manager here

The output will resemble the following:

>pwdtools -JSAFE -p [email protected]

Plain Text: [email protected]
Encrypted value: {PBES}:g531EbTmhWM=

save the entire encrypted value including the brackets and equal sign for use in the following steps.

2.> Updated each datasource with a <security-domain> in \CA\RCM\Server\eurekify-jboss\standalone\configuration\standalone-full-ca-gm.xml (or standalone-full-ha-gm.xml for clustered environments).

There are 3 datasources to modify: eurekifyDS, eurekifyTmsDS, and eurekifyReportdbDS; and 3 xa-datasources: WPDS, WPDS2, and WPDS3

Remove the user-name and password lines:                     

  <user-name>sa</user-name>
  <password>[email protected]</password>

and replace with <security-domain>{datasourcename}</security-domain>, which we will keep consistent with the name of each datasource, and xa-datasource name.

Here is an example datasource for eurekifyDS using a MS SQL backend database, where ‘sa’ was used as the username used for the database connection:

               <datasource jta="true" jndi-name="java:/jdbc/eurekifyDS" pool-name="eurekifyDS" enabled="true" use-java-context="false" use-ccm="true">
                    <connection-url>jdbc:sqlserver:// TESTMSSQL001534:1433;databaseName=eurekify_sdb</connection-url>
                    <driver>sqlserver</driver>
                    <pool>
                        <min-pool-size>30</min-pool-size>
                        <max-pool-size>60</max-pool-size>
                        <prefill>false</prefill>
                        <use-strict-min>false</use-strict-min>
                        <flush-strategy>FailingConnectionOnly</flush-strategy>
                    </pool>
                    <security>
                        <security-domain>eurekifyDS</security-domain>
                    </security>
                    <validation>
                        <check-valid-connection-sql>select 1</check-valid-connection-sql>
                        <validate-on-match>false</validate-on-match>
                        <background-validation>true</background-validation>
                        <background-validation-millis>120000</background-validation-millis>
                        <use-fast-fail>false</use-fast-fail>
                    </validation>
                </datasource>

3.> Create the corresponding <security-domain> under <security-domains> for each of your datasources and xa-datasource using the encrypted password from 1.

Here is an example <security-domain> for the eurekifyDS datasource using a MS SQL backend database, where ‘sa’ was used as the username used for the database connection:

             <security-domains>
                <security-domain name="eurekifyDS">
                    <authentication>
                        <login-module code="com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin" flag="required" module="com.ca.iam.idmutils">
                            <module-option name="userName" value="sa"/>
                            <module-option name="password" value="{PBES}:g531EbTmhWM="/>
                            <module-option name="managedConnectionFactoryName" value="jboss.jca:name=eurekifyDS,service=NoTxCM"/>
                        </login-module>
                    </authentication>
                </security-domain>

You will need to create a security-domain for each of the 6 datasourses.

 

4.> In order for Governance to be able to use the pickbox encoded values, you must add the following folder structure and copy the idmutils.jar & module.xml file into this directory.

   a. Created folder structure 
          C:\Program Files\CA\RCM\Server\eurekify-jboss\modules\com\ca\iam\idmutils\main
       Or on *nix based systems:
          /opt/CA/wildfly-ig/modules/com/ca/iam/idmutils/main

   b. Create a new file called ‘module.xml’ in the newly created modules\com\ca\iam\idmutils\main directory using the following xml as the contents of the file:

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="com.ca.iam.idmutils">
<resources>
<resource-root path="idmutils.jar"/>
</resources>

<dependencies>
<module name="javax.api"/>
<module name="org.picketbox"/>
<module name="javax.resource.api"/>
<module name="org.apache.log4j"/>
<module name="com.ca.iam.fips"/>
</dependencies>
</module>

   c. Copy the C:\Program Files\CA\RCM\Server\eurekify-jboss\standalone\deployments\eurekify.war\WEB-INF\lib\idmutils.jar into the newly created CA\RCM\Server\eurekify-jboss\modules\com\ca\iam\idmutils\main folder:

 

Once Governance is restarted it will startup and connected using the security domains and the encrypted password values when reaching out to the backend database.

 

Additional Information

This issue has been brought to our developers attention and in Virtual Suite 14.3 these passwords are encrypted.  Development is working to ensure these passwords are encrypted in stand alone installations in a future release.


I have attached example files of the standalone-full-ca-gm.xml, the module.xml file, and the idmutils.jar from 14.3 to this Knowledge document. 
Please use the standalone-full-ca-gm.xml as an example and modify the file deployed in your environment.  
If using a different version of Governance please copy the file from \RCM\Server\eurekify-jboss\standalone\deployments\eurekify.war\WEB-INF\lib\ directory discussed in step 2. c. above.

Attachments

1598374517402__module.xml get_app
1598374503537__idmutils.jar get_app
1598374491602__standalone-full-ca-gm.xml get_app