Server Configuration > Post Install Server Security > Migrating to Encrypted Server-side Passwords
Migrating to Encrypted Server-side Passwords
By default, the Windchill RV&S server is installed with passwords configured in plain text. If you want to change the default installation and run with encrypted server-side passwords, you can use the encryptPassword application to modify the target server files for password encryption. The encryptPassword application is located as follows:
Before running the encryptPassword application, you must first stop the Windchill RV&S server. After you run the application and restart the server, the system then uses encrypted passwords.
If you have configured Federated Server architecture (FSA) for your environment, you can also use the encryptPassword application to migrate to encrypted passwords on the proxy. To migrate to encrypted passwords on the proxy, run encryptPassword from the installdir/bin directory on the proxy machine. For more information on FSA, see “Understanding Federated Server Architecture”.
When the application is run, if the Windchill RV&S server is running in the default plain text password configuration, it migrates the server to the encrypted password configuration; if the Windchill RV&S server is already running in the encrypted password configuration, it encrypts any target passwords that are in plain text and writes them back to the file in the encrypted format.
To run the application directly and migrate to encrypted passwords, specify encryptPassword with options as follows:
encryptPassword -e|--encryptPassword
./encryptPassword -e|--encryptPassword
encryptPassword runs the application for password encryption.
-e|--encryptPassword specifies the option to migrate the system on the target Windchill RV&S server—whether host or proxy—from plain text passwords to encrypted passwords. If the server is already running in the encrypted password configuration, this option specifies to encrypt any remaining plain text passwords. For example, encryptPassword -e.
For a list of the passwords that are encrypted by the encryptpassword application, see “Encrypting Server-side Passwords”.
On running the encryptPassword application, a keystore and keystore password file are generated if they do not exist. Windchill RV&S uses the JCEKS KeyStore in conjunction with password-based encryption. JCEKS KeyStore is a strong version of the Sun KeyStore implementation. The Sun KeyStore implementation is standard with the Java SE Development Kit (JDK).
All passwords are encrypted using an encryption key that is generated using the Password Based Encryption (PBE) method. The encryption key is stored in a keystore file keystore.jceks located in the installdir/data/security/store directory.
Along with this keystore, the encryptPassword application also generates the keystore password file secret.key in the directory installdir/data/security/key to store the keystore password.
As a best practice, ensure that the keystore password file secret.key is made secure so that only the users authorized to run the encryptPassword application can view the encryption key stored in the keystore.
The length of the encryption key can be configured in the mksis.encryptkeysize property located in the file. The default length of the key is 128 bits, which is in accordance with the Advanced Encryption Standard (AES). The key length cannot be lesser than 128 bits. If a value greater than 128 bits is required, ensure that your country’s government mandate does not have cryptographic restrictions. If your country has maximum cryptographic strengths restriction, and a larger size is required, you should ensure your application is exempt from cryptographic restrictions. For details on making your application exempt from cryptographic restrictions, see the topic Enabling Unlimited Strength Cryptography.
If you need to change the encryption key for your site, perform the following steps:
1. Move all the passwords to plain text format.
2. Set the value of the property global.encryprt to false and delete the keystore and keystore password file.
3. Run the encryptPassword application again.
After passwords are encrypted, you cannot view the plain text passwords in Windchill RV&S configuration files. Instead, the password value is displayed in a file as encrypted.<gen_text> where <gen_text> is the system-generated text, which uniquely identifies the stored encrypted password
For example, if the database password value stored in mks.dbPassword property is password, then after running the encryptPassword application, the encrypted password has some system generated text as follows:
If you want to migrate from a Integrity Lifecycle Manager server older than 12.0 that is already running in the encrypted password configuration, ensure that you manually move back the encrypted passwords to plain text, You should also change the value of global.encrypt property to false. When the encryptPassword application is run, it encrypts plain text passwords and writes them back to the file in the encrypted format.
To migrate encrypted passwords on the Windchill RV&S server