This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
en:software:tim:encryption_tim [2018/06/25 13:59] Philipp Deycke [E-Mail Configuration] |
en:software:tim:encryption_tim [2019/10/28 20:26] wikiadmin |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | \\ | ||
+ | \\ | ||
+ | \\ | ||
+ | \\ | ||
+ | ==== Jboss encryption module and web frontend for TIM=== | ||
+ | ------ | ||
+ | TIM encoder uses a Jboss module for encryption and to validate keys. The encryption is used e.g. for database connections and third-party applications within the configuration files in order to hide sensitive information like usernames and passwords from plain sight. | ||
+ | |||
+ | To use this module the following steps need to be done: | ||
+ | |||
+ | - Add the encoder.war of the TIM Encryption Webarchive | ||
+ | - Modiy the standalone-tim.xml | ||
+ | - Generating a java key with web-interface or console | ||
+ | - Use encryption with TIM | ||
+ | \\ | ||
+ | ==== Add the encoder.war of the TIM Encryption Webarchive ==== | ||
+ | ---- | ||
+ | To enable TIM to encrypt usernames and passwords and to use those encrypted values insert the encoder.war to the standalone\deployments folder in your %JBOSS_HOME% e.g. C:\tim\jboss-eap-7.1\standalone\deployments. Upon JBoss startup it will deploy automatically. | ||
+ | \\ | ||
+ | |||
+ | ==== Modify the standalone-tim.xml ==== | ||
+ | ---- | ||
+ | {{ :en:software:tim:encryption_datascource.png?800|}} | ||
+ | Changes in the //standalone.xml// are made accordingly. In your //subsystem datasource// below your database | ||
+ | implemet: | ||
+ | <code> | ||
+ | <security> | ||
+ | <security-domain>secDomDS</security-domain> | ||
+ | </security> | ||
+ | </code> | ||
+ | as can be seen in the first screenshot. | ||
+ | |||
+ | In the //subsystem security// add: | ||
+ | <code> | ||
+ | <security-domain name="secDomDS" cache-type="default"> | ||
+ | <authentication> | ||
+ | <login-module code="org.picketbox.datasource.security.TimSecureIdentityLoginModule" flag="required"> | ||
+ | <module-option name="username" value="$enc$c5507593f47122e"/> | ||
+ | <module-option name="password" value="$enc$-3c3702fd5f714bd0045dcdcdd12584c8"/> | ||
+ | </login-module> | ||
+ | </authentication> | ||
+ | </security-domain> | ||
+ | </code> | ||
+ | as can be seen in the screenshot below. | ||
+ | \\ | ||
+ | \\ | ||
+ | {{:en:software:tim:encryption_securitydomain.png?600|}} | ||
+ | \\ | ||
+ | \\ | ||
+ | |||
+ | ==== Generating a java key with web-interface or console==== | ||
+ | ----- | ||
+ | There are two ways to encrypt your credentials. Either with the web-interface or with via the console. | ||
+ | |||
+ | The module can be called via the web-interface e.g. http://your_tim_url:port/encoder/ . In oder to encrypt a secret insert use the text field and hit the //encrypt secret// button. To validate a encrypted secret past the secret in the correct text field and hit the //validate encrypted secret// button. This method can as well be used to encrypt any secret in e.g tim.properties. | ||
+ | |||
+ | {{:en:software:tim:encryption_encoder.png?600 |}}{{ :en:software:tim:encryption_encoder2.png?600 |}} | ||
+ | |||
+ | To encode your credentials via console use the following commands: | ||
+ | \\ | ||
+ | \\ | ||
+ | to generate a key: | ||
+ | <code> | ||
+ | java -cp modules/system/layers/base/org/picketbox/main/tim-encoder-module.jar:modules/system/layers/base/org/picketbox/main/picketbox-4.1.1.Final-redhat-1.jar org.picketbox.datasource.security.TimSecureIdentityLoginModule '123' | ||
+ | </code> | ||
+ | \\ | ||
+ | to validate password-key combination: | ||
+ | <code> | ||
+ | java -cp modules/system/layers/base/org/picketbox/main/tim-encoder-module.jar:modules/system/layers/base/org/picketbox/main/picketbox-4.1.1.Final-redhat-1.jar org.picketbox.datasource.security.TimSecureIdentityLoginModule '123' '$enc$b530c41fe274111' | ||
+ | </code> | ||
+ | \\ | ||
+ | to validate the key: | ||
+ | <code> | ||
+ | java -cp modules/system/layers/base/org/picketbox/main/tim-encoder-module.jar:modules/system/layers/base/org/picketbox/main/picketbox-4.1.1.Final-redhat-1.jar org.picketbox.datasource.security.TimSecureIdentityLoginModule '' '$enc$b530c41fe274111' | ||
+ | </code> | ||
+ | \\ | ||
+ | ====TIM Properties==== | ||
+ | ----- | ||
+ | In //tim.properties// credentials can be encrpyted with the encoder or the console and replace plain text usernames and passwords. As an example the image shows setting and editing the superuser and client-administrator passwords: \\ | ||
+ | {{:en:software:tim:encryption_timproperties.png?400|}} | ||
+ | \\ | ||
+ | |||
+ | ====E-Mail Configuration==== | ||
+ | ----- | ||
+ | In the properties of the client unter the category //mail server// are the paramters //SmtpUser// and //SmtpPassword//.\\ | ||
+ | These credentials can be encrypted accordingly to the methods above and as shown in the example. {{ :en:software:tim:encryption_mailserver.png?600 |}} | ||
+ | \\ | ||
+ | |||
+ | ====Actionhandler==== | ||
+ | ----- | ||
+ | Actionhandler like HTTPRequestHandler or RunSqlScriptHandler use credentials that can be encrypted by said methods. The example shows the RunSqlScriptHandler where ${user} and ${pass} are passed on encrypted via smartform: | ||
+ | {{:en:software:tim:encryption_runsqlscripthandler2.png?600 |}}{{ :en:software:tim:encryption_runsqlscripthandler.png?1000 |}} | ||
+ | \\ | ||
+ | \\ | ||
+ | \\ | ||
+ | ====Timer==== | ||
+ | ----- | ||
+ | Just like //actionhandler// TIM can encrypt nessesary credentials for //timer// as well and hide them from plain text. The example shows the Timer signalByMailReply: | ||
+ | {{ :en:software:tim:encryption_signal.png |}} | ||
+ | \\ | ||