Encrypting User Passwords

User passwords are stored along with user profiles in JasperReports Server's own private database. By default, password encryption is enabled in JasperReports Server and passwords are stored as cipher text in the database. With the following procedure, system administrators can turn on or off user password encryption, or change the encryption algorithm and specify the salt key used to initiate the encryption algorithm.

To Configure User Password Encryption:

1. As a precaution, you must back up the server's private jasperserver database. To back up the default PostgreSQL database, go to the <js-install> directory and run the following command:

pg_dump -U postgres jasperserver > js-backup.sql

To back up DB2, Oracle, Microsoft SQL Server, and MySQL databases, refer to your database product documentation.

2. You can now stop your application server. You should leave your database running.
3. Export the entire contents of the repository, which includes user profiles and their passwords, with the following commands. Note that there are two dashes (--) in front of the command options:

Windows:

cd <js-install>\buildomatic
js-export.bat --everything --output-dir js-backup-catalog

Linux:

cd <js-install>/buildomatic
js-export.sh --everything --output-dir js-backup-catalog

In the export operation, passwords are decrypted using the existing user password ciphers and re-encrypted with the import-export encryption key. This is a separate encryption that ensures that passwords are never in plain text, even when exported. For more information, see Setting the Import-Export Encryption Key

4. Edit the properties in the following table to configure different ciphers. Both the server and the import-export scripts access the user profiles and must be configured identically. Make the same changes in both files:

User Password Encryption Configuration

Configuration Files

<jasperserver-pro-war>/WEB-INF/applicationContext-security.xml
<js-install>/buildomatic/conf_source/iePro/applicationContext-security.xml

Property

Bean

Description

allowEncoding

passwordEncoder

With the default setting of true, user passwords are encrypted when stored. When false, user passwords are stored in clear text in JasperReports Server's private database. Jaspersoft does not recommend changing this setting.

keyInPlainText

passwordEncoder

When true, the secretKey value is given as a plain text string. When false, the secretKey value is a numeric representation that can be parsed by Java's Integer.decode() method. By default, this setting is false, and the secretKey is in hexadecimal notation (0xAB).

secretKey

passwordEncoder

This value is the salt used by the encryption algorithm to make encrypted values unique. This value can be a text string or a numeric representation depending on the value of keyInPlainText.

secretKeyAlgorithm

passwordEncoder

The name of the algorithm used to process the key, by default DESede.

cipher
Transformation

passwordEncoder

The name of the cipher transformation used to encrypt passwords, by default DESede/CBC/ PKCS5Padding.

You should change the secretKey value so that it is different from the default.

The secretKey, secretKeyAlgorithm, and cipherTransformation properties must be consistent with each other. For example, the secretKey must be 24 bytes long in hexadecimal notation or 24 characters in plain text for the default cipher (DESede/CBC/PKCS5Padding). Different algorithms expect different key lengths. For more information, see Java's javax.crypto documentation.

5. Next, drop your existing jasperserver database, where the passwords had the old encoding, and recreate an empty jasperserver database. Follow the instructions for your database server:
     Dropping and Recreating the Database in PostgreSQL
     Dropping and Recreating the Database in MySQL
     Dropping and Recreating the Database in Oracle
     Dropping and Recreating in the Database in Microsoft SQL Server
6. Import your exported repository contents with the following commands. The import operation will restore the contents of JasperReports Server's private database, including user profiles. As the user profiles are imported, the passwords are encrypted using the new cipher settings.

Note that there are two dashes (--) in front of the command options:

Windows:

cd <js-install>\buildomatic
js-import.bat --input-dir js-backup-catalog

Linux:

cd <js-install>/buildomatic
js-import.sh --input-dir js-backup-catalog

During the import operation, passwords are decrypted with the import-export encryption key and then re-encrypted in the database with the new user password encryption settings. For more information, see Setting the Import-Export Encryption Key.

7. Using a database client such as the SQuirreL tool, check the contents of the JIUser table in the jasperserver database and verify that the password column values are encrypted.
8. Restart your application server. Your database should already be running.
9. Log into JasperReports Server to verify that encryption is working properly during the log in process.

Dropping and Recreating the Database in PostgreSQL

1. Change directory to <js-install>/buildomatic/install_resources/sql/postgresql.
2. Start psql using an administrator account such as postgres:

psql -U postgres

3. Drop the jasperserver database, create a new one, and load the jasperserver schema:
drop database jasperserver;
create database jasperserver encoding='utf8';
\c jasperserver
\i js-pro-create.ddl
\i quartz.ddl

Dropping and Recreating the Database in MySQL

1. Change directory to <js-install>/buildomatic/install_resources/sql/mysql.
2. Log into your MySQL client:

mysql -u root -p

3. Drop the jasperserver database, create a new one, and load the jasperserver schema:
mysql>drop database jasperserver;
mysql>create database jasperserver character set utf8;
mysql>use jasperserver;
mysql>source js-pro-create.ddl;
mysql>source quartz.ddl;

Dropping and Recreating the Database in Oracle

1. Change directory to <js-install>/buildomatic/install_resources/sql/oracle.
2. Log into your SQLPlus client, for example:

sqlplus sys/sys as sysdba

3. Drop the jasperserver database, create a new one, and load the jasperserver schema:
SQL> drop user jasperserver cascade;
SQL> create user jasperserver identified by password;
SQL> connect jasperserver/password
SQL> @js-pro-create.ddl
SQL> @quartz.ddl

Dropping and Recreating in the Database in Microsoft SQL Server

1. Change directory to <js-install>/buildomatic/install_resources/sql/sqlserver.
2. Drop the jasperserver database, create a new one, and load the jasperserver schema using the SQLCMD utility:
cd <js-install>\buildomatic\install_resources\sql\sqlserver
sqlcmd -S ServerName -Usa -Psa 
1> DROP DATABASE [jasperserver]
2> GO
1> CREATE DATABASE [jasperserver]
2> GO
1> USE [jasperserver]
2> GO
1> :r js-pro-create.ddl
2> GO
1> :r quartz.ddl
2> GO
Version: 
Feedback