Encrypting Passwords for SSO
To work with the KeyStore, the KeyStore provider uses a secure token that is stored encrypted in a file. All data written to the KeyStore is stored securely using the password. The first time the provider is started, it generates a random password value and a KeyStore file, if they do not already exist.
The KeyStore password and KeyStore file should be restricted to only the application user. The application user must have read/write permissions to the files.
The examples below are Windows-based. Change commands, as necessary, if you are using a Linux-based OS.
To create a KeyStore file ahead of time and store initial data in it, you must use the Security Management Tool.
1. Obtain the Security Management Tool ZIP file from the PTC Support site. If you already have this tool installed, skip to step 3.
2. Extract the contents of the zip file to a directory.
3. Create a configuration file with the following parameters, and place it in the bin folder of the unzipped files.
In this example, the file is named keystore.conf, the version of the tool is, and it is located at C://security-common-cli- .
The default-encryption-key-length must match the application configuration. In ThingWorx, it is the InternalAesCryptographicKeyLength parameter located in platform-settings.json. The default is 128, but you can use 256-bit encryption if you are using Java 1.8.0_162 or higher. If necessary, you can also use with older Java versions by updating the java policy for the key size limit.
security {
secret-provider = "com.thingworx.security.provider.keystore.KeyStoreProvider"
default-encryption-key-length = 128

keystore {
password-file-path = "/ThingworxPlatform/ssoSecurityConfig"
password-file-name = "keystore-password"
path = "/ThingworxPlatform/ssoSecurityConfig"
name = "_sso_keystore"
4. Stop the ThingWorx server.
5. Start a command prompt as Administrator and direct to the location of security-common-cli-\bin.
6. Run the following command to switch to the shell prompt of the tool:
C:\security-common-cli-\bin> security-common-cli.bat <path to keystore>\keystore.conf
7. Run the set of commands below to insert the passwords:
Database password:

> set encrypt.accesstoken.password <add-password-here>
KeyStore Store Password (password for sso-keystore.jks):
> set encrypt.keystorestore.password <add-keystorestore-password-here>
KeyStore Key Password (password for keys in sso-keystore.jks):
> set encrypt.keystorekey.password <add-keystorekey-password-here>
Service Provider client secret(s): For each AuthorizationServersSettings.<AuthorizationServerId> mentioned in the /ThingworxPlatform/ssoSecurityConfig/sso-settings.json file.

> set <AuthorizationServerId>.encrypt.SP.clientSecret <add-SP-clientSecret-here>
For example, for the sso-settings.json configuration file below, run the commands that follow it:
"AuthorizationServersSettings": {
"PingFed1": {
"clientId": "twx-sp-client-1",
"clientSecret": "twx-sp-client_1234",
"authorizeUri": "https://pingfed1.com:9031/as/authorization.oauth2",
"tokenUri": "https://pingfed1.com:9031/as/token.oauth2",
"clientAuthScheme": "form"
"PingFed2": {
"clientId": "twx-sp-client-2",
"clientSecret": "twx-sp-client_123456",
"authorizeUri": "https://pingfed2.com:9031/as/authorization.oauth2",
"tokenUri": "https://pingfed2.com:9031/as/token.oauth2",
"clientAuthScheme": "form"

> set PingFed1.encrypt.SP.clientSecret twx-sp-client_1234
> set PingFed2.encrypt.SP.clientSecret twx-sp-client_123456
Resource Server client secret (only in the case where ThingWorx is configured as the resource server):
> set encrypt.RP.clientSecret <add-clientSecret-here>
8. Type exit to exit the shell mode:
> exit
9. Open /ThingworxPlatform/ssoSecurityConfig/sso-settings.json and make the following updates:
Database password: Under AccessTokenPersistenceSettings, change the password value to:
KeyStore Store password: Under KeyManagerSettings, change the keyStoreStorePass value to:
KeyStore Key password: Under KeyManagerSettings, change the keyStoreKeyPassvalue to:
Service Provider client secret(s): For each AuthorizationServersSettings.<AuthorizationServerId>.clientSecret, change the clientSecret value to:
10. If ThingWorx is configured as the resource server, open the /ThingworxPlatform/ssoSecurityConfig/resourceServerSettings.json file and make the following update:
Resource server client secret: Under ResourceServerSettings.accessTokenServicesSettings, change the clientSecret value to:
11. Start the ThingWorx server.
Was this helpful?