Grouper Developers Forum

[Chris Hyzer <>]

Hey,

 

This bug is completed.  All of this is optional by the way, grouper will work the same as is.

 

https://bugs.internet2.edu/jira/browse/GRP-122

 

https://wiki.internet2.edu:443/confluence/x/el0

 

I had a version of the jdbc source adapter with better error handling, so I added it in, which completes what I had in mind for this bug (if someone wants to code review that would  be good)

https://bugs.internet2.edu/jira/browse/MCO-16

 

The goal of the external password encryption is to improve password security:

1. config files should be able to be emailed around without having to cleanse them

2. config files (and warfiles) should not contain passwords so they can be stored in version control etc

3. only people who have permissions on the production box will need to know the password, not developers who send them the war to deploy

4. If someone finds a config file, they cannot see the password, and there is no documented way to unencrypt it

 

To upgrade (and this is in the change log from 1.3-1.4):

a. All subject source adapter classes in sources.xml should change (regardless if using external encrypted passwords).

 

FROM: edu.internet2.middleware.subject.provider.JDBCSourceAdapter

TO: edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter

 

FROM: edu.internet2.middleware.subject.provider.JNDISourceAdapter

TO: edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter

 

b. In grouper.properties, set the grouper.encrypt.key entry to a random alphanumeric string, or a pathname of a file containing the alphanumeric string

 

c. In sources.xml, and grouper.hibernate.properties, encrypt the passwords with GROUPER_HOME/bin/encrypt.bat (or .sh)

 

d. Put results in a file, and put the file path where the passwords were in sources.xml or grouper.hibernate.properties

 

e.g. Here is my grouper.properties

 

# Put a random alphanumeric string (Case sensitive) for the password encryption.  e.g. fh43IRJ4Nf5

# or put a filename where the random alphanumeric string is.  e.g. c:/whatever/key.txt

grouper.encrypt.key = C:/mchyzer/isc/dev/grouper/grouperDecryptKey.txt

# set this to true if you have slashes in your passwords and dont want to look in external files

grouper.encrypt.disableExternalFileLookup = false

 

In the file: C:/mchyzer/isc/dev/grouper/grouperDecryptKey.txt   is a key like: fur43MD2kl

 

Then I take my db password from sources.xml and grouper.hibernate.properties, and I encrypt like this (note, two ways to do it, the default which masks the input [though kind of shady due to java], and one the doesnt mask in case masking has problems... note both show the same output):

 

C:\mchyzer\isc\dev\grouper-qs-1.2.0\grouper\bin>encrypt

Wait a minute during initialization...

grouper.properties read from: C:\mchyzer\isc\dev\grouper-qs-1.2.0\grouper\bin\..\conf\grouper.properties

Enter the string to encrypt:*****

The encrypted string is: 2aac86f12aexxxxxx81144b5b1e4ba

 

C:\mchyzer\isc\dev\grouper-qs-1.2.0\grouper\bin>encrypt dontMask

Wait a minute during initialization...

grouper.properties read from: C:\mchyzer\isc\dev\grouper-qs-1.2.0\grouper\bin\..\conf\grouper.properties

Enter the string to encrypt: test

The encrypted string is: 2aac86f12aexxxxxx81144b5b1e4ba

 

C:\mchyzer\isc\dev\grouper-qs-1.2.0\grouper\bin>

 

Then write that encrypting string to the password file, in my case:

C:/mchyzer/isc/dev/grouper/grouperLocalPass.txt

 

And in grouper.hibernate.properties and sources.xml, replace the password with that file location:

 

hibernate.connection.password         = C:/mchyzer/isc/dev/grouper/grouperLocalPass.txt

 

     <init-param>

       <param-name>dbPwd</param-name>

       <param-value>C:/mchyzer/isc/dev/grouper/grouperLocalPass.txt</param-value>

     </init-param>

 

Note, I didnt test the JNDI one since I dont do JNDI, if someone can test it that would be great.

 

Chris