Securing passwords

The master passphrase is used to generate a password-based encryption (PBE) key that encrypts the value of sensitive properties that are stored in a Global Mailbox database.

Sensitive properties that determine the configurations for each application and replication server are stored in the application and replication server records:
  • Sterling B2B Integrator server
  • WebSphere® MQ server
  • Replication server

Each application and replication server has its own record, and these records are stored on the database. The Global Mailbox administrator password is sent in clear text to the server during log in, so the log in panel must only be accessed by using HTTPS (SSL/TLS).

The sensitive properties that are stored in each application and replication server record are encrypted with a randomly generated, Advanced Encryption Standard (AES) key. Each application and replication server has its own AES encryption key, which is generated when the application or replication server record is first created. The records are stored in the distributed system database.

The server record encryption key is stored as a Java™ JCEKS keystore blob, in a column of the server record. Each server record encryption key is encrypted with a random alphanumeric password. The password for each encryption key is stored in a table in the database. A master passphrase encrypts the password with a PBE key.

The master passphrase is created during installation of the first data center in the Global Mailbox system and is stored as the property com.ibm.mailbox.master.passphrase in the global.properties file. The global.properties file is protected by operating system permissions. All nodes in each data center of the Global Mailbox system use the same the master passphrase.

Important: The master passphrase cannot be changed by manually editing the global.properties file, and must be changed with the command-line utility masterPassphrase set.

During the installation of a new data center, the Installation Manager copies the global.properties file from the first configured data center into the new data center. It is not necessary to run the masterPassphrase set utility to set the master passphrase on subsequent data centers since the master passphrase was created for the first data center. The master passphrase is read from the replicated global.properties file by the new data center.

If you change the master passphrase, do not register a new application, add a replication server, or provision storage while the masterPassphrase set utility is running, or before global.properties replicates to all data centers.

When a server is added to the distributed system while the masterPassphrase set utility is running, the server record encryption key might be encrypted with the previous master passphrase. If a server record encryption key is encrypted with the previous master passphrase, the sensitive properties from that server record cannot be decrypted. As a result, all data that was encrypted with that server record key becomes unrecoverable.

If one of the following scenarios occurs, and the master passphrase is unknown, all sensitive data cannot be decrypted and is unrecoverable:
  • The com.ibm.mailbox.master.passphrase property is deleted from the global.properties file.
  • The com.ibm.mailbox.master.passphrase property becomes corrupted.
  • The global.properties file is deleted.
If the master passphrase is known, the administrator can reenter the master passphrase into global.properties, and the data can be recovered.