Security configurationEncrypt passwords in Transact files

Encrypt passwords in Transact files

Plain-text passwords should be encrypted in Transact files to increase security.

Note the following:

  • Replace plain text passwords manually in the Transact configuration files with the Transact password generated by the Password Encryption Utility.

  • The passwords can be encrypted in server.xml (database passwords and LDAP/AD connection password), dcma-ftp properties, user-connectivity, etl-properties file under dcma-reporting, and applicationContext-security.xml (if using SAML SSO).

  • User names can also be encrypted in a similar way.

  • The encryption mechanism is similar for Windows and Linux environments.

Follow these general steps.

  1. Run the Encryptor.sh or Encryptor.bat file (Ephesoft\Application\native\encryption) where it prompts for the plain-text password and converts it into encrypted text.

    Copy the encrypted password to be pasted where required. For more information about this process, see Encrypt password.

  2. Locate the files where you need to change plain-text passwords:

    • server.xml

    • user-connectivity (dcma-user-connectivity)

    • etl-properties (dcma-reporting)

    • ftp.properties (dcma-ftp)

  3. Open the dcma-encryption.properties file (Ephesoft Transact\Application\WEB-INF\classes\META-INF\dcma-encryption) and set the value for password.use_encryption and password.encrypt to true.
  4. Modify server.xml based on what password type you use.
    Option Description

    LDAP and AD password encryption

    1. Add a comment to <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>.

    2. In the realm settings, change the value in the Realm Class name from org.apache.catalina.realm.JNDIRealm to <Realm className="com.ephesoft.realm.EphesoftRealm"/>.

    3. Use the encrypted password generated for connectionPassword property when you configure AD in server.xml file.

    Database password encryption

    Change the factory attribute in the Resource tag to com.zaxxer.hikari.encryption.EncryptedHikariJNDIFactory and provide the encrypted password in the datasource.password attribute that was generated.

    To ensure successful DB connections, all Oracle DB passwords in server.xml have to be enclosed in quotes (for example, dataSource.password="&quot;Passw0rd&quot;"). When using Encryptor, make sure to provide only the password, without double quotes (for example, Passw0rd).
  5. Change the password parameter in dcma-ftp.
    By default, * (asterisk) is used in the password property, which may cause an error. If not using ftp, you can use any encrypted password in this property.
  6. Change the user name and password in the etl-variables.properties file (Ephesoft\Application\WEB-INF\classes\META-INF\dcma-reporting).
    It is important to encrypt both ephesoft.loginusername and ephesoft.loginpassword.
  7. After replacing the plain-text passwords, restart the Transact service.

Enable LDAP/AP password encryption

To enable password encryption, change the following files, which are located at the following folders:

  • Ephesoft\JavaAppServer\conf\server.xml

  • Ephesoft\Application\WEB-INF\classes\META-INF\dcma-encyption.properties

  • Ephesoft\Application\WEB-INF\classes\META-INF\dcma-user-connectivity\user-connectivity.properties

To enable password encryption for LDAP and AD:

  1. Change the className attribute in the <Realm … > tag in the server.xml file.

    By default, the className attribute in server.xml has the following value: 

    <Realm className="org.apache.catalina.realm.JNDIRealm"/>

    Change the value to the following: 

    <Realm className="com.ephesoft.realm.EphesoftRealm"/>
  2. Use an encrypted password for the connectionPassword attribute in the <Realm … > tag in the server.xml file. 
    <Realm className="com.ephesoft.realm.EphesoftRealm" connectionPassword =
"mzoanUU1UD0rc1PvexuAKw=="/>
  3. Turn on the password.use_encryption property in the dcma-encyption.properties available at Ephesoft\Application\WEB-INF\classes\META-INF\dcma-encryption folder. Set the property as follows:
    password.use_encryption=true
  4. Use an encrypted password for the user.connectivity_password property in the dcma-userconnectivity.properties file. Set the property as follows: 
    user.connectivity_password="mzoanUU1UD0rc1PvexuAKw=="
  5. Comment out this line using <!- before and -> after this line in the server.xml files: 
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>

    Be sure not to comment out the </Realm> on the next line as that closes a previous realm and not this one.

Encrypt password

To encrypt passwords, make sure Encryptor.bat is available at this path:

<Transact-Installation-Folder>\Application\native\encryption\

Then follow these steps.

  1. Open the Command Prompt window and run Encryptor.bat.

    You are prompted to enter the password string that needs to be encrypted.

  2. Type the password and press Enter.

    The encrypted password appears in the Command Prompt window. Copy and paste it where needed.

The encryption algorithm and cipher strength being used by encryptor.bat from Transact is PBEWithMD5AndDES (56 bits).