How to protect secure information in Product 360 configuration files
General
The configuration files of Product 360 components include some secure information like passwords which can be protected in the following ways:
MS SQL Server database user and password can be omitted in configuration files and Windows authentication can be used instead (integrated security).
Standard tomcat mechanism to hash the tomcat authentication is provided with Product 360 Web Search.
For other passwords perform the encryption described below and as a result the Product 360 configuration will not have any sensitive information as a plain text, anymore.
You can use protection of secure information in configuration files on new as well as existing Product 360 systems.
Use Windows authentication to connect to the database (MS SQL Server only)
Product 360 supports Windows authentication for MS SQL Server connection. In this case the configuration files do not contain sensitive database security data like the name and password of the database user.
This mechanism is supported for MS SQL Server databases of Product 360 Server, Audit Trail and Media Manager only.
To configure integrated security for the web frontend of Media Manager please refer to the chapter "MSSQL with integrated security" in the Media Manager Installation Manual.
To configure integrated security for the connection of Product 360 Server to Media Manager please refer to the chapter "Connection data" in the Product 360 Core and PIM - Media Manager Configuration Manual.
Also Informatica BPM Server can be configured to use integrated security. For further information refer to the chapter "Integrated Security" in the Product 360 Informatica BPM Installation Manual.
Configure Product 360 Server and Audit Trail
Configure MS SQL Server to use Windows Authentication for the Windows user which is used to run the Windows Services.
Configure this user as a database owner.
Note: If you want to switch to integrated security on existing installations, you have to switch the owner of the Product 360 databases to the Windows user.Configure database connection on Product 360 Server side:
In the server.properties file configure the setting db.integrated.security = true. If integrated security is not used, do not remove the setting, but set it to false.
Do not remove the settings db.default.user and db.default.password, but leave them empty.
Configure database connection on Product 360 Audit Trail side:
In the server.properties file configure the setting db.integrated.security = true. If integrated security is not used, do not remove the setting, but set it to false.
Do not remove the settings db.audittrail.user and db.audittrail.password, but leave them empty.
For detailed information please refer to Installation and Configuration Manuals of corresponding Product 360 server component.
Use password encryption
How to enable/disable password encryption
To enable password encryption enclose the password in the configuration file with the marker [_to_encrypt_] like this:
# INFA BPMinfa.bpm.base.url = <ENTER THE INFA BPM BASE URL HERE>infa.bpm.workflows.path = services/RESTinfa.bpm.user = <ENTER THE AUTHENTICATION USER HERE>infa.bpm.password = [_to_encrypt_]MyPassword[_to_encrypt_]<network> <node identifier="audit-server" host="localhost" port="2801" username="Administrator" password="[_to_encrypt_]MyPassword[_to_encrypt_]"/></network>The passwords will be encrypted during configuration in the Control Center or at the latest at server start and will then look like this:
# INFA BPMinfa.bpm.base.url = <ENTER THE INFA BPM BASE URL HERE>infa.bpm.workflows.path = services/RESTinfa.bpm.user = <ENTER THE AUTHENTICATION USER HERE>infa.bpm.password = [_encrypted_]nNJvrr8pfq7cPGk4GHgHHg==[_encrypted_]<network> <node identifier="audit-server" host="localhost" port="2801" username="Administrator" password="[_encrypted_]nNJvrr8pfq7cPGk4GHgHHg==[_encrypted_]"/></network>The encrypted passwords won't be encrypted a second time.
Note: There is no possibility to see the passwords in plain text again, so please memorize them before encryption is executed.
To disable the encryption you can just replace the value of the setting with the plain text password and omit the markers.
For detailed information about encryption please refer to Installation and Configuration Manuals of corresponding Product 360 server component.
Limitations and distinctions
Passwords won't be checked for respecting password policies.
Passwords won't be checked for invalid signs.
Protection of Product 360 application user passwords is not a part of this topic.
Protection does not cover possible used Product 360 desktop client passwords (e.g. Trust-Store).
Standard implementation use a standard encryption key.
Encryption during database setup
It's possible to encrypt passwords during the database setup. If you configure the database connection and use the encryption token [_to_encrypt_], the passwords will be encrypted.
This mechanism is supported for Product 360 Server databases and the Audit Trail database.
Encryption in Control Center
You can edit the configuration files in Control Center and enclose the passwords with the marker [_to_encrypt_]. When you save the configuration file or at the latest during update of configuration on the server nodes, the passwords will automatically be encrypted.
Only passwords enclosed with the marker [_to_encrypt_] in the files supported by Control Center will be encrypted. File configService.xml contains the list of the files managed by Control Center.
Encryption during start of Product 360 Server and other server components
During the start of Product 360 Server or other Product 360 server components not encrypted passwords which are enclosed with tokens [_to_encrypt_] will be encrypted.
Standard implementation
Product 360 provides a standard implementation for the encryption service which uses an AES-256 cryptographical algorithm with an internal and securely stored key to encrypt passwords.
For sophisticated deployments we recommend to integrate wit Encryption Key Management solutions like Amazon AWS or Azure KeyVault and use the API we offer to send and receive data for encryption to these key stores securely.
Customization
If you want to replace the standard implementation of the encryption service with a customer specific implementation, you should provide an implementation of com.heiler.ppm.encryption.api.EncryptionService:
public interface EncryptionService{ /** * Encrypts the given {@link CharSequence}. * @param charSequenceToEncrypt The {@link CharSequence} to be encrypted. Must not be <code>null</code>. * @return The encrypted {@link CharSequence}, never <code>null</code>. */ public CharSequence encrypt( CharSequence charSequenceToEncrypt ) throws EncryptionServiceException; /** * Decrypts the given {@link CharSequence}. * @param charSequenceToDecrypt The {@link CharSequence} to be decrypted. Must not be <code>null</code>. * @return The decrypted {@link CharSequence}, never <code>null</code>. */ public CharSequence decrypt( CharSequence charSequenceToDecrypt ) throws EncryptionServiceException;}Note: The implementation has to be provided in all Product 360 components used by the customer such as Product 360 Server, Control Center, Audit Trail and Web Search.
If you want to provide a customized encryption key, subclass of com.heiler.ppm.encryption.internal.encryptionservice.DefaultEncryptionService can be an option using another KeyProvider.
Product 360 Server and Control Center
The compiled EncryptionService implementation has to be provided in the plugin directory <PIM_ROOT>\server\plugins.
The start parameter ppm.encryptionService contains the name of the class and tells the corresponding application to use this implementation.
If your implementation uses additional configuration property file the start parameter ppm.encryptionService.configPath can be used to set the path to the property file.
(Optional) The start parameter ppm.encryptionService.configPath contains the path to the configuration of the custom implementation.
Example for starting via service:
wrapper.java.additional.40 = -Dppm.encryptionService = custom.encryption.encryptionService# optional start parameterwrapper.java.additional.41 = -Dppm.encryptionService.configPath = <path_to_properties_file>Example for starting via console:
ppm.encryptionService=custom.encryption.encryptionService# optional start parameterppm.encryptionService.configPath=<path_to_properties_file>Product 360 Audit Trail Server
The compiled EncryptionService implementation has to be provided in the plugin directory <AUDIT_TRAIL_ROOT>\atserver\plugins.
The start parameter ppm.encryptionService contains the name of the class and tells the corresponding application to use this implementation.
The plugin name has to be added in the coma separated parameter called osgi.bundles in the file <AUDIT_TRAIL_ROOT>\atserver\bin\conf\wrapper.conf and <AUDIT_TRAIL_ROOT>\atserver\configuration\config.ini
(Optional) The start parameter ppm.encryptionService.configPath contains the path to the configuration of the custom implementation.
Example for starting via service:
wrapper.java.additional.40 = -Dppm.encryptionService = custom.encryption.encryptionService# optional start parameterwrapper.java.additional.41 = -Dppm.encryptionService.configPath = <path_to_properties_file>Example for starting via console:
osgi.bundles=[...],reference\:file\:com.custom.encryption.encryptionService.plugin_1.0.0.jar@4ppm.encryptionService=custom.encryption.encryptionService# optional start parameterppm.encryptionService.configPath=<path_to_properties_file>Product 360 Web Search
The compiled EncryptionService implementation has to be provided in <WEB_SEARCH_ROOT>/internal/buildFiles/lib folder.
The property ppm.encryptionService in configuration.properties file contains the name of the class and tells the application to use this implementation.
(Optional) The property ppm.encryptionService.configPath in configuration.properties file contains the path to the configuration of the custom implementation.
Example:
ppm.encryptionService = custom.encryption.encryptionService# optional propertyppm.encryptionService.configPath = <path_to_properties_file>Use hashing of tomcat password in Product 360 Web Search
Product 360 Web Search Server supports hashing of Web container passwords. In Version 8.0.6 only Index Config Administration Tool supports any authentication where credentials can be used. This authentication is activated as default.
The currently used solr version 3.6 does not support any authentication.
How to enable/disable tomcat password hashing
The standard provided hash algorithm is SHA-512 and can be changed using property password.hash.algorithm. in configuation.properties file.
The password hashing will be executed only if secure information in the configuration file is enclosed by the marker [_to_hash_] .
So, if you want to protect the password "MyPassword" in configuration.properties file, just use the marker before and after the password like this:
# container credentialscontainer.admin.user.name = tomcatcontainer.admin.user.password = [_to_hash_]MyPassword[_to_hash_]After the configuration in the file has been made, execute configure.cmd (Linux: configure.sh) to proceed hashing and adjust the tomcat configuration.
To disable password hashing adapt corresponding settings in configuation.properties file with plain text without any markers and execute the configure batch file to adjust the tomcat configuration.
Disable tomcat authentication
If you don't want to use password authentication in tomcat container at all, following steps are needed to switch it off:
Modify file <WEB_SEARCH_ROOT>\<TOMCAT_SERVER>\webapps\hps-config-admin\WEB-INF\web.xml and comment the XML tags security-constraint, security-role and login-config:
web.xml<!--<security-constraint><web-resource-collection><web-resource-name>Config Admin</web-resource-name><url-pattern>/*</url-pattern><http-method>GET</http-method><http-method>POST</http-method><http-method>PUT</http-method></web-resource-collection><auth-constraint><role-name>admin-gui</role-name></auth-constraint></security-constraint><security-role><role-name>admin-gui</role-name></security-role><login-config><auth-method>BASIC</auth-method></login-config>-->Restart tomcat server