The content of the present cooncept applies for the versions 7.4 and 7.4 CI.
If using IS 7.4.6.1 or IS 7.4.6.2 you can use the information outlined below. In addition, you have to ensure that the according files are excluded from any re-deployment. See Recipe: Keep Local Modifications in Cookbook - Gradle Deployment Tools (7.4 CI - ICM 7.7) for more detailed information on how to do this.
Be aware that IS 7.4.6.3 or later comes with Gradle Tools 2.0 which provides a new workflow. Please see Recipe: Encrypt Database Password in Cookbook - Gradle Deployment Tools (7.4 CI - ICM 7.7) for more detailed information on how to use Gradle Tools 2.0 for DB password encryption.
The password that is used for connecting the Intershop 7 application with an Oracle database is stored in the IS_SHARE/system/config/cluster/orm.properties file. This is the default location though it is possible to change it. The password might be stored as a plain text:
intershop.jdbc.user=INTERSHOP intershop.jdbc.password=intershop
For some customers this is not satisfactory since it does not match against the list with good practices. Thus there is another option, namely to store the password encrypted:
intershop.jdbc.user=INTERSHOP intershop.jdbc.password.encrypted=true intershop.jdbc.password=standard@PBEWithMD5AndTripleDES:018Hal0LdnE=|ySHZl0aUnYOvM++n4Q1hNA==
Note
This approach does not provide unlimited security since the key to decrypt the encrypted password is also stored in the shared files system even though it is obfuscated. Anyone that has access to this key and is educated about the internals of the application server will be able to decrypt the password too. On the other hand, dealing with encrypted passwords has performance cost.
For password decryption the standard encryption library shipped with IS7 is used. The following schema illustrates the high level details of the decryption process.
The default schema used by the encryption lib is PBEWithMD5AndTripleDES
. The password for it is derived based on the key in the key store.
Note
Every password derivation is salted with a securely generated random sequence. This provides semantic security. The triple DES runs in CBC mode.
The features of the configuration framework are used to decrypt the database password. Thus the decryption process will be transparent for any tool that uses the framework to read configurations. A special reader and finder are implemented and shipped with the core cartridge that handle the password encryption. These are configured in the central configuration file located in IS_SHARE\system\config\cluster\configuration.xml.
<?xml version="1.0" encoding="UTF-8"?> <configuration-setup> ... <readers> ... <reader class="com.intershop.beehive.core.internal.configuration.reader.ConfigurationPasswordReader"/> </readers> ... <finders> ... <finder name="password" class="com.intershop.beehive.core.internal.configuration.finder.ConfigurationPasswordFileFinder" /> </finders> ... <sets> ... <set finder="password" scope="cluster,server,domain" required="true" fileName="${IS_SHARE}/system/config/cluster/orm.properties" /> ... </sets> ... </configuration-setup>
Some external tools shipped with the product are adjusted to use the configuration framework. The ant scripts in IS_HOME/tools/misc use a special task that will decrypt the password. These scripts still do not utilize the configuration framework completely.
A small tool has been shipped in IS_SHARE/tools/misc. The system administrator may use it to generate an encrypted password and then copy and paste it into orm.properties. Example:
ES2|d:\eserver2\tools\misc>ant -Dpassword=intershop pwd-encrypt Buildfile: d:\eserver2\tools\misc\build.xml build.environment: pwd-encrypt: password.environment: pwdencrypt: [echo] The encrypted password is: standard@PBEWithMD5AndTripleDES:xmgbyJN/vlg=|1JTy1iId+jzt7s6l0xMQMw== BUILD SUCCESSFUL Total time: 4 seconds ES2|d:\eserver2\tools\misc>
Here the plain text password is intershop
while the encrypted is standard@PBEWithMD5AndTripleDES:xmgbyJN/vlg=|1JTy1iId+jzt7s6l0xMQMw==
. The encrypted password can be saved in orm.properties.