Components that are required to authenticate against a database or another repository need to have user credentials specified in configuration files. Such sensitive information can must be encrypted so that the actual value of the password will be known only during runtime; , protecting Aspire from potential malicious attacks.
Panel | ||
---|---|---|
|
|
In general, when using pre-packaged applications and the standard Aspire Admin interface (i.e. http://localhost:50505), all password encryption will be handled automatically. All passwords will be encrypted when stored in the relational database or in configuration files on disk.
Create the Master PasswordAll password encryption / decryption is based on a master passwordmain key. Use the following steps to create the master passworda new random main key:
Notes:
Note | ||
---|---|---|
| ||
If you skip this step, all of the encryption on Aspire will use the default main key, which comes with all Aspire Distributions. All of your encrypted passwords will be exposed (to be decrypted in any other Aspire Distribution). Using a main Key is extremely important to prevent this exposure. |
If you want to secure Aspire access to the Administration UI using the ConfigFile method, the best and most secure way is by encrypting the passwords. Complete the following steps.
Run bin/encryptPassword. This script will create passwords of the "administrator" and "developer" users to be encrypted inside the settings.xml file when you use the optional "username" parameter.
Enable the ConfigFile authentication on the settings.xml file:
Code Block | ||
---|---|---|
| ||
<authentication>
<type>ConfigFile</type>
</authentication> |
Note | ||
---|---|---|
| ||
UI passwords must comply to policy rules as described in UI Password Policy. |
You always need to encrypt your password to Aspire Maven repository. Also
If you are creating a custom application which requires password encryption, you may need to encrypt it. In both cases, use the "encryptPassword" script.
To use password encryption, follow these instructions:complete the following steps.
By default, Aspire
will useuses a secret pre-configured
master passwordmain key unless an administrator uses
aspire.bat -create_mastergenerateMasterKeyFile to create a new one.