User passwords are stored along with user profiles in JasperReports Server's own private database. By default, password encryption is enabled and passwords are stored as cipher text in the database. With the following procedure, system administrators can turn user password encryption on or off or change the encryption algorithm and specify the salt key used to initiate the encryption algorithm.
To Configure User Password Encryption:
1. | As a precaution, back up the server's private jasperserver database. To back up the default PostgreSQL database, go to the <js-install> directory and run the following command: |
pg_dump -U postgres jasperserver > js-backup.sql
To back up DB2, Oracle, Microsoft SQL Server, and MySQL databases, refer to your database product documentation.
2. | Stop your application server. You should leave your database running. |
3. | Export the entire contents of the repository, which includes user profiles and their passwords, with the following commands. Note that there are two dashes (--) in front of the command options: |
Windows: | cd <js-install>buildomatic |
Linux: | cd <js-install>/buildomatic |
In the export operation, passwords are decrypted using the existing user password ciphers and re-encrypted with the import-export encryption key. This is a separate encryption that ensures that passwords are never in plain text, even when exported. For more information, see “Import and Export” in the JasperReports Server Administrator Guide.
4. | Edit the properties in the following table to configure different ciphers. Both the server and the import-export scripts access the user profiles and must be configured identically. Make the same changes in both files: |
User Password Encryption Configuration
Configuration Files
<jasperserver-pro-war>/WEB-INF/applicationContext-security.xml
<js-install>/buildomatic/conf_source/iePro/applicationContext-security.xml
Property
Bean
Description
allowEncodingpasswordEncoder
With the default setting of true, user passwords are encrypted when stored. When false, user passwords are stored in clear text in JasperReports Server's private database. We do not recommend changing this setting.
keyInPlainText
passwordEncoder
When true, the secretKey value is given as a plain text string. When false, the secretKey value is a numeric representation that can be parsed by Java's Integer.decode() method. By default, this setting is false, and the secretKey is in hexadecimal notation (0xAB).
secretKey
passwordEncoder
This value is the salt used by the encryption algorithm to make encrypted values unique. This value can be a text string or a numeric representation depending on the value of keyInPlainText.
secretKeyAlgorithm
passwordEncoder
The name of the algorithm used to process the key, by default DESede.
cipher
Transformation
passwordEncoder
The name of the cipher transformation used to encrypt passwords, by default DESede/CBC/ PKCS5Padding.
You should change the secretKey value so it's different from the default. |
The secretKey, secretKeyAlgorithm, and cipherTransformation properties must be consistent. For example, the secretKey must be 24 bytes long in hexadecimal notation or 24 characters in plain text for the default cipher (DESede/CBC/PKCS5Padding). Different algorithms expect different key lengths. For more information, see Java's javax.crypto documentation.
5. | Next, drop your existing jasperserver database, where the passwords had the old encoding, and recreate an empty jasperserver database. Follow the instructions for your database server: |
• | Dropping and Recreating the Database in PostgreSQL |
• | Dropping and Recreating the Database in MySQL |
• | Dropping and Recreating the Database in Oracle |
• | Dropping and Recreating in the Database in Microsoft SQL Server |
6. | Import your exported repository contents with the following commands. The import operation will restore the contents of JasperReports Server's private database, including user profiles. As the user profiles are imported, the passwords are encrypted using the new cipher settings. |
Note that there are two dashes (--) in front of the command options:
Windows: | cd <js-install>buildomatic |
Linux: | cd <js-install>/buildomatic |
During the import operation, passwords are decrypted with the import-export encryption key and then re-encrypted in the database with the new user password encryption settings. For more information, see “Setting the Import-Export Encryption Key” in the JasperReports Server Administrator Guide.
7. | Use a database like the SQuirreL tool to check the contents of the JIUser table in the jasperserver database and verify that the password column values are encrypted. |
8. | Restart your application server. Your database should already be running. |
9. | Log into JasperReports Server to verify that encryption is working properly during the log in process. |
Dropping and Recreating the Database in PostgreSQL
1. | Change directory to <js-install>/buildomatic/install_resources/sql/postgresql. |
2. | Start psql using an administrator account such as postgres: |
psql -U postgres
3. | Drop the jasperserver database, create a new one, and load the jasperserver schema: |
Dropping and Recreating the Database in MySQL
1. | Change directory to <js-install>/buildomatic/install_resources/sql/mysql. |
2. | Log into your MySQL client: |
mysql -u root -p
3. | Drop the jasperserver database, create a new one, and load the jasperserver schema: |
Dropping and Recreating the Database in Oracle
1. | Change directory to <js-install>/buildomatic/install_resources/sql/oracle. |
2. | Log into your SQLPlus client, for example: |
sqlplus sys/sys as sysdba
3. | Drop the jasperserver database, create a new one, and load the jasperserver schema: |
Dropping and Recreating in the Database in Microsoft SQL Server
1. | Change directory to <js-install>/buildomatic/install_resources/sql/sqlserver. |
2. | Drop the jasperserver database, create a new one, and load the jasperserver schema using the SQLCMD utility: |
Recommended Comments
There are no comments to display.