Encrypt database usernames and passwords

Question

Encrypt database usernames and passwords

mukhtarhussain opened this issue 4 years ago · 9 comments

Hi Nicolas,

Is it possible to encrypt database usernames and passwords in aceql-server.properties file? Leaving such sensitive info in plain text can be a security risk.

Cheers,
Mukhtar

Answer 1 · 2020-11-23T10:45:21.000Z

Hi Mukhtar,

It depends:

No, it is not possible for now in an easy and standard way with current configuration files.
Yes, it can be done with the current version, but you have to write your own DatabaseConfigurator and create the Tomcat JDBC Poool.

This should be implemented in the next version We have before to look for a clean crypto third party implementation.

Please note that this option activation will require to input the master password at each server startup, so the AceQL server restart can not be automatically done at reboot when using encrypted passwords.

Regards,
N.

Answer 2 · 2020-11-23T20:11:15.000Z

Hi Nicolas,

Yeah, I read about Advanced Connection Pool Management, but since I haven't code in Java for long time, it might take lot of efforts at my end. So I guess I will wait for the next version. Is there any rough timeframe when this feature would be released? Thanks.

Cheers,
Mukhtar

Answer 3 · 2020-11-23T21:00:51.000Z

Hi Mukhtar,
Security is very important; we plan for asap this December.

Answer 4 · 2020-11-23T21:06:48.000Z

Awesome. Thanks Nicolas. :)

Answer 5 · 2020-12-06T22:34:09.000Z

Hey Nicolas,

I hope you are doing well.

Just wanted to know how is it going with the above change request? Are you still aiming for the release this month?

Cheers,
Mukhtar

Answer 6 · 2020-12-07T12:38:44.000Z

Hi Mukhtar,
Version that supports encryption for usernames and passwords is planned to be released this December, or the first week of January 2021 at latest.
Regards,
N.

Answer 7 · 2020-12-07T16:47:56.000Z

Great!! Thanks for the update Nicolas. :)

Cheers,
Mukhtar

Answer 8 · 2021-04-20T16:45:07.000Z

Hi Mukhtar,
I'm happy to announce that our just released 7.0 version supports now usernames & passwords encryption in the aceql-server.properties file.

Howto:

Open a command line session and:
java -jar <install-dir>/lib-server/properties-encryptor-7.0.jar

Follow the instructions to choose password & encrypt property values.
Then replace in your aceql-server.properties the clear values with the encrypted ones.

See the Javadoc of PropertiesPasswordManager in order to provide the password to AceQL at runtime for decryption.

Regards,
N.

Answer 9 · 2021-04-21T03:41:47.000Z

That's great Nicolas. Thanks. Cheers, Mukhtar

…

On Wed, Apr 21, 2021 at 4:45 AM Nicolas de Pomereu ***@***.***> wrote: Hi Mukhtar, I'm happy to announce that our just released 7.0 version supports now usernames & passwords encryption in the aceql-server.properties file. Howto: Open a command line session and: java -jar <install-dir>/lib-server/properties-encryptor-7.0.jar Follow the instructions to choose password & encrypt property values. Then replace in your aceql-server.properties the clear values with the encrypted ones. See the Javadoc of PropertiesPasswordManager <https://www.aceql.com/rest/soft/7.0/javadoc/org/kawanfw/sql/api/server/auth/crypto/PropertiesPasswordManager.html>in order to provide the password to AceQL at runtime for decryption. Regards, N. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APVJJNWUNSXQAA6GNDRK4HTTJWVSHANCNFSM4T62MLNA> .