Encrypting LDAP and Database Passwords in MMC

Enterprise Edition

The Management Console allows you to encrypt, out of the box, the following passwords used by MMC:

Database for environment data
Database for tracking data (Business Events)
LDAP password for MMC access to LDAP server

Previous versions of MMC required you to download an external library in order to encrypt the passwords, and to alter MMC configuration files in order to modify Java beans. In MMC, all you need to do is encrypt the password by running the provided script, and include the encrypted result in the relevant configuration file.

Assumptions

This document assumes that you are familiar with the basic Architecture of the Mule Management Console. It also assumes that you have installed MMC version 3.5.0. (Download it from the customer portal if you need to upgrade to this version.)

Overview

MMC stores passwords in configuration files, in plain text by default. In this scenario, an attacker with access to the filesystem where MMC resides could easily read the stored passwords. Encrypting the passwords allows you to avoid this security risk.

MMC uses the Jasypt encryption library for password encryption. You encrypt your password by running a script included in the MMC installation, as explained below.

Encrypting the Password

To encrypt the password, run the appropriate script in your system’s terminal:

Unix: <MMC_HOME>/encrypt/encrypt.sh
Windows: <MMC_HOME>\encrypt\encrypt.bat

The script accepts several parameters, in the form <parameter>=<value>.

Script parameter Description

Script parameter	Description
`input`	The value to encrypt. This is the actual LDAP or database password you wish to encrypt.
`password`	The string used for encrypting `input`. This is not the LDAP or database password, but the phrase used to encrypt the password. The password itself is provided in the `input` parameter.
`algorithm`	(Optional.) The algorithm to use for encryption.

input

The value to encrypt. This is the actual LDAP or database password you wish to encrypt.

password

The string used for encrypting input. This is not the LDAP or database password, but the phrase used to encrypt the password. The password itself is provided in the input parameter.

algorithm

(Optional.) The algorithm to use for encryption.

Example

./encrypt.sh input=mypassword password=mykey algorithm=PBEWithMD5AndDES

MMC uses DEFAULTPASS as the default value of the encryption key (you provide this value with the password parameter, as shown in the example above). If you change this value, you will need to start MMC with the following parameter:

-DMMC_ENCRYPTION_KEY=<your key>

For example, if running MMC on Tomcat, you can modify the catalina.sh file to include the parameter.

For more information on starting Mule with custom parameters, see Starting and Stopping Mule ESB.

Note that if on a Unix or Unix-based system, you need to set execute permissions for encrypt.sh to be able to run it.

How to apply execute permissions on Unix systems

To set execute permissions for the encrypt.sh script, complete the following steps:

Open a terminal and log in to the system as the owner of the file, or as the root user (use the su or sudo commands according to your system configuration).
Run the following command:

chmod a+x <path to file>encrypt.sh

This will assign execute permissions for all users on the system. If you wish to assign permissions only for the owner of the file, use chmod u+x instead.

Note about Tomcat installations on some systems

As a security measure, on some systems the Tomcat user is not allowed to run commands (the user’s login shell is set to /bin/false). In this case, you have several choices for running the encryption script:

Set global execute permissions for the script, then run the script as another user.
Set permissions only for the Tomcat user, then run the script as root.
As another user, make a copy the script, then run it.

For more information on the chmod command, consult the manual page by running man chmod.

When you run the script, it will show the encrypted password on standard output, as shown in the example below.

./encrypt.sh input="mmc123" password=DEFAULTPASS

----ENVIRONMENT-----------------
Runtime: Sun Microsystems Inc. OpenJDK 64-Bit Server VM 20.0-b12

----ARGUMENTS-------------------
input: mmc123
password: DEFAULTPASS

----OUTPUT----------------------
kB0xirnPDlRXeCcHUjP7NQ==

Copy the encrypted output (the last line displayed above) and store it in a convenient location, such as a text file of your choosing. You will need to copy this value to the appropriate configuration file, as explained in the next section.

For more information about encrypt.sh, including other usage examples, see Jasypt’s CLI Tools page.

Modifying the Configuration File

Determining Which File to Modify

MMC stores passwords in the files and directories listed below:

LDAP:

<MMC_HOME>/WEB-INF/classes/META-INF/mmc-ldap.properties

Databases for persistent and tracking data:

<MMC_HOME>/WEB-INF/classes/META-INF/databases

The databases directory contains one configuration file per supported database engine (see note below). There are two types of configuration files:

Files for supported database engines to store MMC persistent data (created alerts, deployments, etc.) These files are named in the format mmc-<database engine name>.properties. For example, mmc-postgres.properties.
Files for supported database engines to store transaction data (Business Events). These files are named in the format tracking-persistence-<database engine name>.properties. For example, tracking-persistence-postgres.properties.

Click to see a complete listing of the databases directory

mmc-db2.properties
mmc-derby.properties
mmc-mssql.properties
mmc-mysql.properties
mmc-oracle.properties
mmc-postgres.properties
tracking-persistence-db2.properties
tracking-persistence-h2.properties
tracking-persistence-mssql.properties
tracking-persistence-mysql.properties
tracking-persistence-oracle.properties
tracking-persistence-postgres.properties

By default, MMC stores persistent and transaction data on internal databases. However, you can store this data on external databases (see Persisting MMC Data On External Databases for details and supported database servers). If you are using MMC’s internal databases, in order to encrypt your password you will need to modify the following configuration files:

For persistent data: mmc-derby.properties
For transaction data: tracking-persistence-h2.properties

Modifying the File

For each file that you need to modify, open it and locate one of the following lines, according to the type of data whose password you wish to encrypt:

For the persistent data password:

env.password=mmc123

For the transaction data password:

mmc.tracking.db.password=mmc123

For the LDAP password:

password=mmc123

Comment the line by adding a hash symbol (#) to the beginning of the line, for example:

# env.password=mmc123

Add a new line with the variable declaration (in this example, env.password for the password for environment data) and the encoded value of your password in the following format:

ENC("<your encoded password>")

For example:

env.password=ENC("kB0xirnPDlRXeCcHUjP7NQ==")

Examples of File Selections

Encrypting the password for tracking data stored on MMC’s default tracking database: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/databases/tracking-persistence-h2.properties (parameter mmc.tracking.db.password).

Encrypting the password for persistent data stored on MMC’s default persistent data database: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/databases/mmc-derby.properties (parameter env.password).

Encrypting the password for persistent data stored on an external Oracle database: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/databases/mmc-oracle.properties (parameter env.password).

Encrypting the password for LDAP: modify the file <MMC_HOME>/WEB-INF/classes/META-INF/``mmc-ldap.properties `(parameter `password).

Gartner names MuleSoft a Leader

Create connected experiences with AI

Future of connected AI agents

The world of AI is a world of APIs