Password Base type
The PASSWORD base type is an encrypted keystore-based value.
Changes in ThingWorx 8.2
In ThingWorx 8.2, the security of the PASSWORD base type was improved. The PASSWORD base type was changed to an encrypted keystore-based value. This change may have implications when importing and exporting passwords. Best practices are described below.
 |
Some Edge agents are not compatible with the new PASSWORD base type due to the stronger security model.
• The C SDK, .NET SDK, EMS, and iOS SDK were not able to access passwords before this change, and will maintain that behavior.
• Prior to ThingWorx 8.2, the Java SDK and Android SDK had the capability to receive passwords and included libraries to decrypt the passwords, once the encrypted values reached the Edge. With this change, the encrypted values cannot be received or decrypted. If a password base type value is sent to the Edge, it triggers an error in the Java and Android SDKs when the Edge attempts to decrypt the password.
◦ JSDK pre-6.1 error:
[O: c.t.t.d.u.ValueCollectionSerializer] [T: main] Error reading value collection data: Unable to read primitive value from stream : Decrypt ERROR: null JSDK
◦ JSDK 6.1+ error:
[L: ERROR] [O: c.t.t.d.u.ValueCollectionSerializer] [T: main] Error reading value collection data: Unable to read primitive value from stream : java.lang.IllegalArgumentException: No key store file path specified
|
|
|
The PASSWORD base type should not be used as a primary key on a data table.
|
Best Practices Adding Passwords to Data Tables and Streams
• When adding entries to a data table or stream using the AddEntry services (for example, AddIntegerStreamEntry) via Composer or the REST API, passwords must be encrypted using EncryptionServices.encryptPropertyValue. For example,
// test password value
var test_password = "test_123"
// values:INFOTABLE(Datashape: test_shape)
var values = Things["test_table"].CreateValues();
var params = {
data: test_password /* STRING */
};
values.p1 = Resources["EncryptionServices"].EncryptPropertyValue(params);
values.s1 = "test_string"; //STRING [Primary Key]
var params = {
source : me.name,
values : values
};
var test_password = "test_123"
// values:INFOTABLE(Datashape: test_shape)
var values = Things["test_table"].CreateValues();
var params = {
data: test_password /* STRING */
};
values.p1 = Resources["EncryptionServices"].EncryptPropertyValue(params);
values.s1 = "test_string"; //STRING [Primary Key]
var params = {
source : me.name,
values : values
};
Best Practices for Importing and Exporting Passwords
• When importing and exporting passwords, use the default export system, and ensure the same keystore is installed on the system doing the import.
• If a plain-text export of passwords is required (recommended for key rotation only), the export must be done via the REST API and should be treated as sensitive information.
|
|
Caution: When exporting plain text passwords, ensure that the file is safeguarded in an appropriate way. Plain text exports do not contain built-in security.
|
An example of a REST API call containing a plain text password:
GET /Thingworx/Exporter/Users/test HTTP/1.1
Host: localhost:8080
Accept: text/xml
Content-Type: application/json
universal: password
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==
Host: localhost:8080
Accept: text/xml
Content-Type: application/json
universal: password
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==
|
|
Do not export passwords as primary keys in data tables.
|
|
|
If you lose the encryption key (keystore), any encrypted data will be lost.
|
Best Practices for Password Key Rotation
For best practices for key rotation, refer to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
Best Practices for Passwords in a Federated Scenario
When publishing or subscribing to passwords in a federated scenario, encryption and decryption are only successful if you use the same password encryption key. If the keys are different, decryption will be unsuccessful on the federated server, and the property will not be read. An error will be logged if you attempt to use the same encryption key.