5 Password Encryption

This chapter provides information about how you can access the Oracle Enterprise Repository Diagnostics page and encrypt passwords.

This chapter contains the following sections:

Password encryption is enabled by default within the Oracle Enterprise Repository, however, you may use the JVM startup parameter cmee.passwordencryption=false to disable password encryption.

5.1 Accessing Oracle Enterprise Repository Diagnostics Page

In Oracle Enterprise Repository 11g release, Oracle Enterprise Repository Diagnostics page is disabled, by default. Navigate to http://host_name:port/application_name/diag/index.jsp (replace host_name with the appropriate location).

When you open the Diagnostics page in the default mode, the following message is displayed:

Diag pages are currently disabled. Please contact your Oracle Enterprise Repository Administrator.

To enable the Diagnostics page, the vm-argument diagPagesEnabled parameter must be set to true when the system is started.

It is recommended to only enable when necessary and disable once the system is running without any issues.

5.2 Generating Encrypted Passwords

You can encrypt passwords using two different methods, one using the Oracle Enterprise Repository diagnostic page and other using the password encryption tool. To generate encrypted passwords, you need to perform the following steps:

  1. Access the Oracle Enterprise Repository Diagnostics page.

    Navigate to http://host_name:port/application_name/diag/index.jsp (replace host_name with the appropriate location).

  2. Scroll down to the Tools section and click the Encrypt Strings for passwords link to launch the Password encryption page.

  3. Enter the clear text password into the String to Encrypt text box.

  4. Click the Submit Query button.

  5. Copy the resulting encrypted password string and paste it into the appropriate context or properties file(s).

The password encryption tool can be found at <ORACLE_HOME>/repositoryXXX/core/tools/solutions/11.1.1.x.0-OER-PasswordTools.zip. The 11.1.1.x.0-OER-PasswordTools.zip file has two scripts (for windows and unix):

  • encrypt.bat/encrypt.sh - encrypt an xml config file's password elements

  • encryptpassword.bat/encryptpassword.sh - encrypt a single password from the command line

This section also contains the following topics:

5.2.1 Requirements for Encrypted Passwords

The suggested usage of encrypted passwords are as below:

  • In the database.properties file

    The connection password for the database.

  • The Ant task property file or build script

    The password the Oracle Enterprise Repository user will use at login.

  • In the Harvester HarvesterSettings.xml configuration file

    The password stored in the HarvesterSettings.xml file.

  • In the Oracle Registry Repository Exchange Utility configuration (orrxu.xml) file

    The password stored in the orrxu.xml file.

  • In the Oracle Enterprise Repository Workflow configuration (workflow.xml) file

    The password stored in the workflow.xml file.

5.2.2 Other Passwords

Other passwords in the system are encrypted automatically. This operation is invisible to the user. A number of fields stored in the properties files are encrypted by default, including:

  • ldap.bindPassword

  • enterprise.guest.password

  • cmee.wsaa.password

This encryption occurs when the properties are edited and saved. Automatic encryption of passwords during an upgrade script is unavailable at this time.

Passwords stored with the artifact stores are stored in the database in an encrypted format.

5.3 Encrypting the Configuration File Passwords

To ensure security, the passwords in the configuration files must be encrypted. You need to encrypt the configuration file passwords for the following:

5.3.1 Harvester Configuration File

To ensure security, the passwords in the harvester configuration must be encrypted. The password encryption tool, (encrypt.bat/encrypt.sh), which is distributed with Harvester allows you to encrypt the passwords that are stored in the Harvester configuration (HarvesterSettings.xml) file.

  1. Navigate to the <Harvester Home> directory.

  2. From a command prompt, run the password encryption tool as follows:

    > encrypt.bat HarvesterSettings.xml HarvesterSettings.xml

    where

    HarvesterSettings.xml = the Harvester configuration file.

5.3.2 Exchange Utility Configuration File

For enhanced security, the password encryption tool (encrypt.bat/encrypt.sh), which is packaged with the Exchange Utility kit, resides in the installation directory, and allows you to encrypt the passwords that are stored in the Oracle Registry Repository Exchange Utility configuration (orrxu.xml) file.

  1. Navigate to the <ExchangeUtility Tool Home> directory.

  2. From a command prompt, as shown in Figure 5-1, run the password encryption tool as follows:

    > encrypt.bat orrxu.xml orrxu.xml
    

    where:

    orrxu.xml = the Oracle Registry Repository Exchange Utility configuration file

    Figure 5-1 Encrypt Password Tool

    Description of Figure 5-1 follows
    Description of "Figure 5-1 Encrypt Password Tool"

    Figure 5-2 describes a sample image of how the password field appears before the encryption.

    Figure 5-2 Example Image of Password Before Encryption

    Description of Figure 5-2 follows
    Description of "Figure 5-2 Example Image of Password Before Encryption"

    Figure 5-3 describes a sample image of how the password field appears after you run the password encryption tool.

    Figure 5-3 Example Image of Password After Encryption

    Description of Figure 5-3 follows
    Description of "Figure 5-3 Example Image of Password After Encryption"

5.3.3 Workflow Configuration File

For enhanced security, the password encryption tool (encrypt.bat/encrypt.sh), which resides in the 11.1.1.X.0-OER-PasswordTools.zip file, allows you to encrypt the passwords that are stored in the Workflow configuration (workflow.xml) file.

  1. Navigate to the ORACLE_HOME/repositoryXXX/core/tools/solutions directory.

  2. Extract the 11.1.1.X.0-OER-PasswordTools.zip file to a directory and open a command prompt at this directory location.

  3. From the command prompt, run the password encryption tool as follows:

    > encrypt.bat workflow.xml workflow.xml
    

    where

    workflow.xml = the Workflow configuration file