Encrypting Passwords

Installation and Configuration > Installing ThingWorx > Installation Appendices > Encrypting Passwords

See the topic, Security Management Tool, in this Help Center for more information.

Encrypting License and Database Passwords (8.4.0+)

The KeyStore provider makes use of a secure token stored encrypted in a file to work with the KeyStore. All data written to the KeyStore will be stored securely using the password. The first time the provider is started it will generate a random password value and a KeyStore file if they do not already exist.

The KeyStore password and KeyStore file should be restricted to only the application user. The application user must have read/write permissions to the files.

The examples below are Windows-based. Change commands as necessary if you are using a Linux-based OS.

To pre-create a KeyStore file and store initial data in it, you must use the Security Management Tool.

1. Obtain the Security Management Tool zip file from the PTC Support site.

2. Extract the contents of the zip file to a directory.

3. Create a configuration file with the following parameters and place it in the bin folder of the unzipped files.

In this example, the file is named keystore.conf, the version of the tool is 1.0.0.36, and it is located at C://security-common-cli-1.0.0.36/bin .

The default-encryption-key-length must match the application configuration. In ThingWorx, it is the InternalAesCryptographicKeyLength parameter located in platform-settings.json. The default is 128, but you can use 256-bit encryption if you are using Java 1.8.0_162 or higher. If necessary, you can also use with older Java versions by updating the java policy for the key size limit.

{
security {
secret-provider = "com.thingworx.security.provider.keystore.KeyStoreProvider"
default-encryption-key-length = 128

keystore {
password-file-path = "/ThingworxPlatform"
password-file-name = "keystore-password"
path = "/ThingworxStorage"
name = "keystore"
}
}
}

4. Launch a command prompt and go to the location of security-common-cli-1.0.0.36\bin.

5. Run the following to create a password file and KeyStore at the configured location:

◦ license password:

C:\security-common-cli-1.0.0.36\bin> security-common-cli.bat <path to keystore>\keystore.conf
set encrypt.licensing.password "add-password-here"

◦ database password:

C:\security-common-cli-1.0.0.36\bin> security-common-cli.bat <path to keystore>\keystore.conf
set encrypt.db.password "add-password-here"

◦ license proxy password:

C:\security-common-cli-1.0.0.36\bin> security-common-cli.bat <path to keystore>\keystore.conf
set encrypt.proxy.password "add-password-here"

◦ RabbitMQ password (if you have installed ThingWorx Flow):

C:\security-common-cli-1.0.3.48\bin> security-common-cli.bat <path to keystore>\keystore.conf
set encrypt.queue.password "add-password-here"

6. Open ThingworxPlatform\platform-settings.json and make the following updates:

◦ license password: Under LicensingConnectionSettings, change the password value to encrypt.licensing.password. For example, "password": "encrypt.licensing.password"

◦ database password: Under the PersistenceProviderPackageConfigs ConnectionInformation for the persistence provider you are using, change the password value to encrypt.db.password. For example, "password": "encrypt.db.password"

◦ license proxy password: Under LicensingConnectionSettings, change the password value to encrypt.proxy.password. For example, "password": "encrypt.proxy.password"

◦ RabbitMQ password (if you have installed ThingWorx Flow): In the platform-settings.json file, under OrchestrationSettings, change the QueuePassword value to encrypt.queue.password. For example, "QueuePassword": "encrypt.queue.password"

This password signals the ThingWorx platform to look up the encrypted password in the keystore when it is encountered.

Encrypting License and Database Passwords (8.3.x and below)

Refer to older versions of the Installation Guide for this process.

Was this helpful?