<img alt="Liferay" height="36" src="http://cdn.www.liferay.com/osb-www-theme/images/custom/heading.png" width="146" />

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Hi,

I am using JBOSS-Tomcat Application Server bundle of Liferay 5.2.3. I have currently configured this Liferay Jboss-Tomcat bundle to work with MySQL. Now, since the MySQL connection information (e.g. DB URL, Username, Password) are stored in the portal-ext.properties file in Liferay, I want the password to be in the encrypted form, so that it is not readable. Is it possibble? How can I do this?

Anybody is having any idea?

Thanks in advance.

RE: To encrypt the DB password in portal-ext properties file of the server

March 11, 2010 9:21 PM

Answer

Sandeep Nair

Rank: Liferay Legend

Posts: 1671

Join Date: November 5, 2008

Hi,

Check portal.properties

By default the encryption used for passord is SHA

1##
2## Passwords
3##
4
5 #
6 # Set the following encryption algorithm to encrypt passwords. The default
7 # algorithm is SHA (SHA-1). If set to NONE, passwords are stored in the
8 # database as plain text. The SHA-512 algorithm is currently unsupported.
9 #
10 #passwords.encryption.algorithm=CRYPT
11 #passwords.encryption.algorithm=MD2
12 #passwords.encryption.algorithm=MD5
13 #passwords.encryption.algorithm=NONE
14 passwords.encryption.algorithm=SHA
15 #passwords.encryption.algorithm=SHA-256
16 #passwords.encryption.algorithm=SHA-384
17 #passwords.encryption.algorithm=SSHA

You can override it by specifying it in portal-ext.properties

Regards,
Sandeep

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

April 5, 2010 9:46 AM

Answer

Derek Nerenberg

Rank: Junior Member

Posts: 39

Join Date: May 8, 2006

What about the passwords for the database that are stored directly in the portal-ext.properties file?

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

April 5, 2010 10:23 PM

Answer

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Anybody having any idea for this question.

My question is: If we have specified URL, UserName and Password for the MySql DB for Liferay in the portal-ext.properties file, how can we put the password in encrypted form, so that server can read that password and correspondingly load the Liferay DB.

Basically, putting the password in plain text in the portal-ext.properties file is not a good idea due to the security reasons.

Thanks.

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

April 5, 2010 10:32 PM

Answer

Sandeep Nair

Rank: Liferay Legend

Posts: 1671

Join Date: November 5, 2008

Hi,

So you mean database password. Well there is no way to do that i think. As far as security is considered portal-ext.properties is placed under WEB-INF/classes folder. Files under the WEB-INF directory cannot be directly accessed.

Regards,
Sandeep

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

April 5, 2010 10:44 PM

Answer

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Hi Sandeep,

Thanks for reply.

However, you are fully right that the file once placed in WEB-INF/classes will not be directly accessed, however anybody can browse the folders in the Liferay bundle and go to the WEB-INF/classes and see the password and can in turn access the DB with that password.

Can we avoid such circumstances?

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

April 5, 2010 11:33 PM

Answer

Pravin Pawar

Rank: Junior Member

Posts: 59

Join Date: November 17, 2009

Hi,

You can use Jasypt (Java Simplified Encryption). Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.

Refer Encrypting application configuration files

But for this you have to understand the Liferay core code. The code related to getting the jdbc connection using the jdbc.default.username and jdbc.default.password properties.

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

April 5, 2010 11:39 PM

Answer

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Hi Pravin,

Thanks for reply.

But, I think it is cumbersome to dig the liferay code to simulate the Password encryption/decryption in portal-ext.properties. Do you have any idea, If we set password in encrypted form in portal-ext.properties file, how the Liferay will decrypt the password and load the DB.

Thanks again.

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

April 6, 2010 12:01 AM

Answer

Pravin Pawar

Rank: Junior Member

Posts: 59

Join Date: November 17, 2009

Yes I have implemented this some time before with Liferay CE 5.2.1 release. Right now I don't have that code with me. I have modify the code related to DataSource and build portal-impl related part only. For deployment we just replace the portal-impl.jar from tomcat bundle & it's working fine.

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

April 6, 2010 12:32 AM

Answer

Manish Kumar Gupta

LIFERAY STAFF

Rank: Liferay Master

Posts: 535

Join Date: May 15, 2008

If security is your concern, you can use JBoss to create JNDI datasource for you databse connection and specify that JNDI name in ext-properties.

If you are using unix OS, you can give read only permission on portal-ext to app-server-user only.

Finally, if you are not really happy with above 2 approach, See http://issues.liferay.com/browse/LPS-4336 for encoding the password.

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

December 6, 2011 3:23 AM

Answer

MICHAIL MOUDATSOS

Rank: Regular Member

Posts: 106

Join Date: October 4, 2011

Manish Kumar Gupta:

See http://issues.liferay.com/browse/LPS-4336 for encoding the password.

Is it possible to implement the solution provided there (provided code solution) using an ext plugin, rather than modifying Liferay source code and rebuilding the distribution portal-impl.jar, which is the documented approach (if I understood correctly, that is)

(Or is there some problem concerning when plugins are loaded and executed with respect to the execution time of the provided code?)

Thank you in advance!

Mark as an Answer

RE: To encrypt the DB password in portal-ext properties file of the server

December 9, 2011 5:45 AM

Answer

MICHAIL MOUDATSOS

Rank: Regular Member

Posts: 106

Join Date: October 4, 2011

OK, after some trial and error my first impression that an ext plugin would not work because it woud be run later than the time needed, was correct, so I had to change the source code and rebuild using provided ant scripts (thankfully!). Since the http://issues.liferay.com/browse/LPS-4336 link corresponds to an earlier version of Liferay I thought it would be usefull to present an approach. The modification concerns the file com.liferay.portal.dao.jdbc.util.DataSourceFactoryBean of the porta-impl.jar:

1
2 [url=http://issues.liferay.com/browse/LPS-4336][/url]
3public DataSource createInstance() throws Exception {
4       Properties properties = _properties;
5
6       if (properties == null) {
7          properties = PropsUtil.getProperties(_propertyPrefix, true);
8       }
9       else {
10          properties = PropertiesUtil.getProperties(
11             properties, _propertyPrefix, true);
12       }
13
14       Properties defaultProperties = PropsUtil.getProperties(
15          "jdbc.default.", true);
16
17       /**
18       * Overriding code: begin
19       */
20
21       Enumeration<String> propEnum = (Enumeration<String>)defaultProperties.propertyNames();
22
23       while(propEnum.hasMoreElements())
24       {
25          String key = propEnum.nextElement();
26
27          if(key.equalsIgnoreCase("password"))
28          {
29             /*Property jdbc.default.encrypted.password enables one to define whether the provided password is encrypted or not*/
30             boolean isEncrypted = GetterUtil.getBoolean(defaultProperties.getProperty("encrypted.password"));
31
32             if(isEncrypted)
33             {
34                   String value = defaultProperties.getProperty(key);
35                   Base64 base64 = new Base64();
36                   byte[] bytesArray = base64.decode(value.getBytes());
37                   value = new String(bytesArray);
38                   /*Set the password property in the property member field since it is the one to be taken into account*/
39                   properties.setProperty(key, value);
40             }
41          }
42       }
43
44       /**
45       * Overriding code: end
46       */
47
48       PropertiesUtil.merge(defaultProperties, properties);
49
50       properties = defaultProperties;
51//...
52//code continues...

The code part between the two "Overriding code" comments is actually an addition. Nothing was overwritten/removed. The encryption approach follows the one provided in the link of previous post. It is more like an encoding rather than a sophisticated encryption. One can replace with its own encryption choice.

I forgot to add that in this particular case the following fragment of code is sufficient to create an encoding of your db password:

1       Base64 base64 = new Base64();
2       byte[] bytesArray = null;
3       String result = null;
4       bytesArray = base64.encode(password.getBytes());
5       result = new String(bytesArray);

result variable contains the encoded password. Print it and assign it to jdbc.default.password property in portal-ext.properties