Encrypting Passwords
Refer to the Security Management Tool topic, in this Help Center for more information.
Encrypting License and Database Passwords
The KeyStore provider makes use of a secure token stored encrypted in a file to work with the KeyStore. All data written to the KeyStore will be stored securely using the password. When the provider is started for the first time, it generates a random password value and a KeyStore file, if they do not already exist.
* 
The KeyStore password and KeyStore file should be restricted to only the application user. The application user must have Read/Write permissions to the files.
* 
The examples below are Windows-based. If you are using a Linux-based OS, change commands as necessary.
To pre-create a KeyStore file and store the initial data in it, you must use the Security Management Tool.
1. Obtain the Security Management Tool ZIP file from the PTC Support site.
2. Extract the contents of the ZIP file to a folder.
3. Create a configuration file with the following parameters and place it in the bin folder of the unzipped files. In this example, the file is named keystore.conf, the version of the tool is 1.0.3.48, and it is located at C://security-common-cli-1.0.3.48/bin .
* 
The default-encryption-key-length must match the application configuration. In ThingWorx, it is the InternalAesCryptographicKeyLength parameter located in platform-settings.json. The default is 128, but you can use 256-bit encryption if you are using Java 1.8.0_162 or higher. If necessary, you can also use older Java versions by updating the Java policy for the key size limit.
{
security {
secret-provider = "com.thingworx.security.provider.keystore.KeyStoreProvider"
default-encryption-key-length = 128

keystore {
password-file-path = "/ThingworxPlatform"
password-file-name = "keystore-password"
path = "/ThingworxStorage"
name = "keystore"
}
}
}
4. Launch a command prompt and go to the location of security-common-cli-<latest>\bin.
5. Run the following to create a password file and KeyStore at the configured location:
license password:
C:\security-common-cli-<latest>\bin> security-common-cli.bat <path to keystore>\keystore.conf
set encrypt.licensing.password <add-password-here>
database password:
C:\security-common-cli-<latest>\bin> security-common-cli.bat <path to keystore>\keystore.conf
set encrypt.db.password <add-password-here>
license proxy password:
C:\security-common-cli-<latest>\bin> security-common-cli.bat <path to keystore>\keystore.conf
set encrypt.proxy.password <add-password-here>
RabbitMQ password (if you have installed ThingWorx Flow):
C:\security-common-cli-<latest>\bin> security-common-cli.bat <path to keystore>\keystore.conf
set encrypt.queue.password <add-password-here>
6. Open ThingworxPlatform\platform-settings.json and make the following updates:
license password: Under LicensingConnectionSettings, change the password value to encrypt.licensing.password. For example, "password": "encrypt.licensing.password"
database password: Under the PersistenceProviderPackageConfigs ConnectionInformation for the persistence provider you are using, change the password value to encrypt.db.password. For example, "password": "encrypt.db.password"
license proxy password: Under LicensingConnectionSettings, change the password value to encrypt.proxy.password. For example, "proxyPassword": "encrypt.proxy.password"
RabbitMQ password (if you have installed ThingWorx Flow): In the platform-settings.json file, under OrchestrationSettings, change the QueuePassword value to encrypt.queue.password. For example, "QueuePassword": "encrypt.queue.password"
This password signals the ThingWorx platform to look up the encrypted password in the keystore when it is encountered.
Was this helpful?