Release 2.x‎ > ‎Install - Reference‎ > ‎

Encrypting Password

Overview

This document covers how to leverage encrypted passwords in the openptk.xml configuration file. This document uses the MySQL Service as an example. The procedures defined in this document apply to all Services (unless otherwise specified).

Architecture

The OpenPTK Services leverage a proxy user to establish a trusted connection to the "back end" repository. This proxy user needs to have rights to perform the configured operations (Create, Read, Update, Delete, Search, Authenticate, etc.).

The Services use properties in the openptk.xml to declare the proxy user. The <Defaults> section of the openptk.xml defines <Properties> that are used in the <Connections> section.

When a Service is started, it will look for an encrypted password first. If an encrypted password is not set, a "clear text" password is checked. The Framework looks for a <Property> named user.password.encrypted. If this value contains a valid encrypted value, it is decrypted and used to establish a connection to the back-end repository. If the user.password.encrypted property does not exist, the property user.password is checked. If this property exists, and contains a value, it will be used with the user.name property to initiate a connection.

Implementation

When OpenPTK is used in a development environment, it may be easier to use a "clear text" password. The sample openptk.xml section below shows a configuration that leverages a "clear text" password:

<Defaults>
   <Properties>
      ...
      <Property name="jdbc.mysql.url"           value="jdbc:mysql://localhost:3306/openptk" />
      <Property name="jdbc.mysql.driver"        value="com.mysql.jdbc.Driver" />
      <Property name="jdbc.mysql.user.name"     value="test" />
      <Property name="jdbc.mysql.user.password" value="password" />
      ...
   </Properties>
</Defaults>

When Project OpenPTK is used in a Test and Production environment, it is suggested that the "clear text" password be replaced with an encrypted password.

Generated encrypted password

The ptkadmin utility is used to generate an encrypted value for a given String.

  1. If needed, build the openptk packagecli ant target
  2. Change to the directory
  3. Run the ptkadmin command
ant clean packagecli

cd build/package/Apps/CLI/openptk-cli-2.0.0/bin

./ptkadmin -e password
EnespBAb/hMwNylyxlh0jw==

Update the property

Save the encrypted output from the ptkadmin utility.

  1. Modify the property for password. Append the String .encrypted to the property name
  2. Modify the property value. Replace the "clear text" String with the encrypted value from ptkadmin -e

Here is a modified version of the openptk.xml sample file:

<Defaults>
   <Properties>
      ...
      <Property name="jdbc.mysql.url"                      value="jdbc:mysql://localhost:3306/openptk" />
      <Property name="jdbc.mysql.driver"                   value="com.mysql.jdbc.Driver" />
      <Property name="jdbc.mysql.user.name"                value="test" />
      <Property name="jdbc.mysql.user.password.encrypted"  value="EnespBAb/hMwNylyxlh0jw==" />
      ...
   </Properties>
</Defaults>

Check Connection

The Properties that were modified in the above section are used by the <Connection> section of the openptk.xml configuration file.


Be Careful
Make sure the <Connection> actually uses the encrypted property

The <Connecction> must have the user.password.encrypted property that has a value which references the default <Property>.

<Connection id="MySQL">
   <Properties>
      ...
      <Property name="user.name"               value="%{jdbc.mysql.user.name}" />
      <Property name="user.password"           value="%{jdbc.mysql.user.password}" />
      <Property name="user.password.encrypted" value="%{jdbc.mysql.user.password.encrypted}" />
      ...
   </Properties>
</Connection>