Jump to content
  • This documentation is an older version of JasperReports Server Security Guide. View the latest documentation.

    warning-icon-ns.png.f1283e720a0259db10341df5c54c1d01.png

    As of JasperReports Server 7.5, all encryption in the server relies on cryptoghaphic keys stored in the server's keystore. For more information, see Key and Keystore Management.

    The configuration files and properties described in this section are no longer used by this feature. They are documented here only for legacy purposes.

    User passwords are stored along with user profiles in JasperReports Server's own private database. By default, password encryption is enabled and passwords are stored as cipher text in the database. With the following procedure, system administrators can turn user password encryption on or off or change the encryption algorithm and specify the salt key used to initiate the encryption algorithm.

    To Configure User Password Encryption:

    1. As a precaution, back up the server's private jasperserver database. To back up the default PostgreSQL database, go to the <js-install> directory and run the following command:

    pg_dump -U postgres jasperserver > js-backup.sql

    To back up DB2, Oracle, Microsoft SQL Server, and MySQL databases, refer to your database product documentation.

    2. Stop your application server. You should leave your database running.
    3. Export the entire contents of the repository, which includes user profiles and their passwords, with the following commands. Note that there are two dashes (--) in front of the command options:

    Windows:

    cd <js-install>buildomatic
    js-export.bat --everything --output-dir js-backup-catalog

    Linux:

    cd <js-install>/buildomatic
    js-export.sh --everything --output-dir js-backup-catalog

    In the export operation, passwords are decrypted using the existing user password ciphers and re-encrypted with the import-export encryption key. This is a separate encryption that ensures that passwords are never in plain text, even when exported. For more information, see “Import and Export” in the TIBCO JasperReports Server Administrator Guide.

    4. Edit the properties in the following table to configure different ciphers. Both the server and the import-export scripts access the user profiles and must be configured identically. Make the same changes in both files:

    User Password Encryption Configuration

    DEPRECATED User Password Encryption Configuration

    <jasperserver-pro-war>/WEB-INF/applicationContext-security.xml
    <js-install>/buildomatic/conf_source/iePro/applicationContext-security.xml

    Property

    Bean

    Description

    allowEncoding

    passwordEncoder

    With the default setting of true, user passwords are encrypted when stored. When false, user passwords are stored in clear text in JasperReports Server's private database. We do not recommend changing this setting.

    keyInPlainText

    passwordEncoder

    When true, the secretKey value is given as a plain text string. When false, the secretKey value is a numeric representation that can be parsed by Java's Integer.decode() method. By default, this setting is false, and the secretKey is in hexadecimal notation (0xAB).

    secretKey

    passwordEncoder

    This value is the salt used by the encryption algorithm to make encrypted values unique. This value can be a text string or a numeric representation depending on the value of keyInPlainText.

    secretKeyAlgorithm

    passwordEncoder

    The name of the algorithm used to process the key, by default DESede.

    cipher
    Transformation

    passwordEncoder

    The name of the cipher transformation used to encrypt passwords, by default DESede/CBC/ PKCS5Padding.

    warning-icon-ns_28x28.png.e8f12d7be2cbd38a7a3dcd0938362fef.png

    You should change the secretKey value so it's different from the default.

    The secretKey, secretKeyAlgorithm, and cipherTransformation properties must be consistent. For example, the secretKey must be 24 bytes long in hexadecimal notation or 24 characters in plain text for the default cipher (DESede/CBC/PKCS5Padding). Different algorithms expect different key lengths. For more information, see Java's javax.crypto documentation.

    5. Next, drop your existing jasperserver database, where the passwords had the old encoding, and recreate an empty jasperserver database. Follow the instructions for your database server:
         Dropping and Recreating the Database in PostgreSQL
         Dropping and Recreating the Database in MySQL
         Dropping and Recreating the Database in Oracle
         Dropping and Recreating in the Database in Microsoft SQL Server
    6. Import your exported repository contents with the following commands. The import operation will restore the contents of JasperReports Server's private database, including user profiles. As the user profiles are imported, the passwords are encrypted using the new cipher settings.

    Note that there are two dashes (--) in front of the command options:

    Windows:

    cd <js-install>buildomatic
    js-import.bat --input-dir js-backup-catalog

    Linux:

    cd <js-install>/buildomatic
    js-import.sh --input-dir js-backup-catalog

    During the import operation, passwords are decrypted with the import-export encryption key and then re-encrypted in the database with the new user password encryption settings. For more information, see “Setting the Import-Export Encryption Key” in the TIBCO JasperReports Server Administrator Guide.

    7. Use a database like the SQuirreL tool to check the contents of the JIUser table in the jasperserver database and verify that the password column values are encrypted.
    8. Restart your application server. Your database should already be running.
    9. Log into JasperReports Server to verify that encryption is working properly during the log in process.

    Dropping and Recreating the Database in PostgreSQL

    1. Change directory to <js-install>/buildomatic/install_resources/sql/postgresql.
    2. Start psql using an administrator account such as postgres:

    psql -U postgres

    3. Drop the jasperserver database, create a new one, and load the jasperserver schema:

    Dropping and Recreating the Database in MySQL

    1. Change directory to <js-install>/buildomatic/install_resources/sql/mysql.
    2. Log into your MySQL client:

    mysql -u root -p

    3. Drop the jasperserver database, create a new one, and load the jasperserver schema:

    Dropping and Recreating the Database in Oracle

    1. Change directory to <js-install>/buildomatic/install_resources/sql/oracle.
    2. Log into your SQLPlus client, for example:

    sqlplus sys/sys as sysdba

    3. Drop the jasperserver database, create a new one, and load the jasperserver schema:

    Dropping and Recreating in the Database in Microsoft SQL Server

    1. Change directory to <js-install>/buildomatic/install_resources/sql/sqlserver.
    2. Drop the jasperserver database, create a new one, and load the jasperserver schema using the SQLCMD utility:


    User Feedback

    Recommended Comments

    There are no comments to display.



    Guest
    This is now closed for further comments

×
×
  • Create New...