Encrypt LDAP Passwords

You can hide LDAP-related passwords in property files by encrypting them in the customer_overrides.property file.

The following parameters (properties can be used to be encrypted the LDAP passwords in the customer_overrides.properties file:
Parameter/property Description
authentication_policy.authentication_1.credentials This parameter or property governs the principal password necessary to access an LDAP instance. This should be secured since no password that governs security and access should be exposed in plain text.
authentication_policy.
LDAP_SECURITY_TRUSTSTORE_PASSWORD
 This parameter or property governs the password for the trust store (JKS format) used for securing LDAP connections. The passphrase for this JKS must be supplied so that the trust store can be accessed since it is an encrypted file.
authentication_policy.
LDAP_SECURITY_KEYSTORE_PASSWORD
 This parameter or property governs the password if client-based SSL authentication is used to secure connections to a given LDAP instance.

To encrypt LDAP passwords:

  1. Navigate to the bin directory.
  2. Use the encrypt_string.[sh/cmd] to determine the real value of the property/parameters you want to encrypt.
  3. Update the parameters/properties in customer_overrides.properties file to have following entries. Replace all <ENCVAL> with the encrypted value of the non-encrypted string commented out for that property using the bin/encrypt_string.sh (or .cmd). For example: 
    authentication_policy.LDAP_SECURITY_TRUSTSTORE=&INSTALL_DIR;/../woodstock2/com/sterlingcommerce/woodstock/security/units/cacerts
# non-encrypted
#authentication_policy.LDAP_SECURITY_TRUSTSTORE_PASSWORD=changeit
# encrypted
authentication_policy.LDAP_SECURITY_TRUSTSTORE_PASSWORD=<ENCVAL>
authentication_policy.LDAP_SECURITY_KEYSTORE=&INSTALL_DIR;/../woodstock2/com/sterlingcommerce/woodstock/security/units/keystore
# non-encrypted
#authentication_policy.LDAP_SECURITY_KEYSTORE_PASSWORD=password
# encrypted
authentication_policy.LDAP_SECURITY_KEYSTORE_PASSWORD=<ENCVAL>
authentication_policy.authentication_2.display_name=LDAP Server agrona 2
authentication_policy.authentication_2.enabled=true
authentication_policy.authentication_2.jndi_factory=com.sun.jndi.ldap.LdapCtxFactory
authentication_policy.authentication_2.server=agrona.sci.local
authentication_policy.authentication_2.port=18100
authentication_policy.authentication_2.security_type=simple
authentication_policy.authentication_2.principle=cn=Manager,dc=amr,dc=stercomm,dc=com
# non-encrypted
#authentication_policy.authentication_2.credentials=Sterling
# encrypted
authentication_policy.authentication_2.credentials=<ENCVAL>
authentication_policy.authentication_2.security_protocol=ssl
authentication_policy.authentication_2.password_attribute=userPassword
authentication_policy.authentication_2.search_root=dc=amr,dc=stercomm,dc=com
authentication_policy.authentication_2.search_filter=(uid=<userid>)
authentication_policy.authentication_2.with_user_bind=false
authentication_policy.authentication_2.className=com.sterlingcommerce.woodstock.security.LDAPAuthentication