By default, the Windchill RV&S server is installed with passwords configured in plain text. If you want to change the default installation and run with encrypted server-side passwords, you can use the encryptPassword application to modify the target server files for password encryption. The encryptPassword application is located as follows:

If you have configured Federated Server architecture (FSA) for your environment, you can also use the encryptPassword application to migrate to encrypted passwords on the proxy. To migrate to encrypted passwords on the proxy, run encryptPassword from the installdir/bin directory on the proxy machine. For more information on FSA, see “Understanding Federated Server Architecture”.

When the application is run, if the Windchill RV&S server is running in the default plain text password configuration, it migrates the server to the encrypted password configuration; if the Windchill RV&S server is already running in the encrypted password configuration, it encrypts any target passwords that are in plain text and writes them back to the file in the encrypted format.

To run the application directly and migrate to encrypted passwords, specify encryptPassword with options as follows:

or

where

For a list of the passwords that are encrypted by the encryptpassword application, see “Encrypting Server-side Passwords”.

On running the encryptPassword application, a keystore and keystore password file are generated if they do not exist. Windchill RV&S uses the JCEKS KeyStore in conjunction with password-based encryption. JCEKS KeyStore is a strong version of the Sun KeyStore implementation. The Sun KeyStore implementation is standard with the Java SE Development Kit (JDK).

All passwords are encrypted using an encryption key that is generated using the Password Based Encryption (PBE) method. The encryption key is stored in a keystore file keystore.jceks located in the installdir/data/security/store directory.

Along with this keystore, the encryptPassword application also generates the keystore password file secret.key in the directory installdir/data/security/key to store the keystore password.

The length of the encryption key can be configured in the mksis.encryptkeysize property located in the is.properties file. The default length of the key is 128 bits, which is in accordance with the Advanced Encryption Standard (AES). The key length cannot be lesser than 128 bits. If a value greater than 128 bits is required, ensure that your country’s government mandate does not have cryptographic restrictions. If your country has maximum cryptographic strengths restriction, and a larger size is required, you should ensure your application is exempt from cryptographic restrictions. For details on making your application exempt from cryptographic restrictions, see the topic Enabling Unlimited Strength Cryptography.

If you need to change the encryption key for your site, perform the following steps:

After passwords are encrypted, you cannot view the plain text passwords in Windchill RV&S configuration files. Instead, the password value is displayed in a file as encrypted.<gen_text> where <gen_text> is the system-generated text, which uniquely identifies the stored encrypted password

For example, if the database password value stored in mks.dbPassword property is password, then after running the encryptPassword application, the encrypted password has some system generated text as follows:

mks.dbPassword=encrypted.wRKAKkhyW5s263TaJz05pSG10HwFxibAmfKuO7kRiq4.