Currently if we want to reset admin password of wso2(not through UI), We edit the password in repository/conf/user-mgt.xml file. We would like to use encrypted the password instead of clear text. Is there any way i can give supply my encryption logic to wso2 so that it uses while decrypting the password on authentication. Thanks in Advance
You can encrypt passwords in configuration files using Cipher Tool shipped with all WSO2 Products. Please refer [1] for more detail on it.
[1] https://docs.wso2.com/display/Carbon420/Securing+Passwords+in+Configuration+Files
Related
i can't encrypt Embedded LDAP password in repository/conf/identity/embedded-ldap.xml file on Identity Server 5.6.0.
I encrypted a password in embedded-ldap.xml file.
In "cipher-tool.properties" file i have string:
EmbeddedLdap.Property.ConnectionPassword=repository/conf/identity/embedded-ldap.xml//EmbeddedLDAPConfig/EmbeddedLDAP/Property[#name='connectionPassword'],false.
In cipher-text.properties i have encrypted password for it.
But when i launch Identity Server i get error:
LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=admin,ou=system.
How to encrypt Embedded Ldap Password?
Also there is "PartitionAdmin" password in embedded-ldap.xml file. I encrypted it. IS is started normal with this encrypted password.
I tested the scenario and found out that it does not retrieve the value from cipher-text.properties file for the "connectionPassword" property in the <IS_HOME>/repository/conf/identity/embedded-ldap.xml by following secretAlias="EmbeddedLdap.Property.ConnectionPassword".
Instead, it uses the value defined inline within the embedded-ldap.xml file. Because, server startup does not fail if we add the correct password in embedded-ldap.xml file as following. (Ps: "test123" is the password I've defined as "ConnectionPassword" for the UserStoreManager in user-mgt.xml)
<EmbeddedLDAP>
<Property name="connectionPassword" svns:secretAlias="EmbeddedLdap.Property.ConnectionPassword">test123</Property>
So this seems to be a bug/limitation in the WSO2 Identity Server and you can report it by opening an issue in the GitHub repository.
However please note that the embedded LDAP is provided only for evaluations purposes. Please use an external user store (LDAP or JDBC) in production environments.
I've changed the wso2carbon.jks keystore to my own store and my CA signed cert is working fine via a remote browser for https. However when I try to change the admin password via the carbon management console UI and restart the API manager I get problems with:
AMQConnection Unable to connect to broker at tcp://10.16.0.5:5673
org.wso2.andes.AMQException: Error occurred while establishing a connection
I'm running 2.0.0 of API manager on Ubuntu 14.04
I don't have enough points to comment on a similar issue:
WSO2 API Manager - Error changing admin password
but happy to experiment and isolate this bug. I could try to change the admin password for all references in xml files under conf if needed.
Please advise on the best way to change the admin password for API manager. I'm happy to do a clean install and see if I can just change the admin password. Please advise if I should use the UI or change in repository/conf files.
Search all xml files with "admin" references. What I can recall is, api-manager.xml, user-mgt.xml, identity.xml, etc.. You may also check out the related wso2 doc.
I've just worked through this issue with WSO2 support. In my case it had to do with the content of the password. I used the same admin password for v2 as I did for v1.10 but apparently the different frameworks in v2 has a problem with special characters in the password. More specifically, a '#' character. The link below was provided as a reference. Upon changing the admin password, both in the console and in the user-mgt.xml file, and restarting the product, I am no longer experiencing the exception.
https://wso2.org/jira/browse/APIMANAGER-4991
Authentication Required
The server http://api.mailgun.net:443 requires a username and password....
I am new in mailgun, and I dont understand that where I can find those username and password.
Can any one help me please ???
This really isn't an appropriate question, but ...
"When you sign up for an account, you are given an API key. You authenticate to the Mailgun API by providing your API key in the request. You can manage your API key in the ‘My Account’ tab of the Control Panel.
Authentication to the API occurs via HTTP Basic Auth. Use api as the user name and your API key is the password."
https://documentation.mailgun.com/api-intro.html#authentication
I'm writing a web app in Django that is interfacing with the Read it Later List API (http://readitlaterlist.com/api/docs/). However, all of the API calls require sending the username and password with each request. In order to do this, it seems that I need to store the user's password in plain text in my database. Am I missing something or is that the only approach possible in this case? Is there some way to store an encrypted password in my database, but yet be able to send a decrypted version of it when making the API call? If not, then are there any best practices that I should be following to safe-guard the user's password?
I'm pretty sure that this can't be the only service requiring sending password in plain-text. I'm interested in knowing how developers deal with these sort of services in general. I'm new to web development, so any help or pointers is appreciated.
do your users have to log into your website to use it? if you also are making use of a password authentication scheme, you could piggy back on top of that. Use the login password for your site as a cipherkey in a symmetric key cipher to encrypt the api password. then you need only store a hash of the users password (to your own site) and an encrypted password for the remote api.
Never save password in plain text. You can encrypt and decrypt the password but the problem is that the key you use to do the encryption and decryption will generally be accessible to anyone who has gained access to your server so it's not secure.
An alternative is to ask them to enter their password and save it in an encrypted cookie, or session variable or something else that will expire when they have logged out of your app. This has the drawback of them having to enter their password every time they user your app.
"Its not stated here what the password
field is used for, or why it is
required. I was told by an Adobe
employee at CFUnited 2008 that it was
used to recreate the login in
clustered environments. An explanation
of this process might be useful."
- http://livedocs.adobe.com/coldfusion/8/htmldocs/Tags_j-l_08.html
So actually why does <cfloginuser> require a password attribute??
cfloginuser is used in combination with cflogin to log a user into your application. You use either a form submission with username and password values, basic authentication or NTLM authentication. All of these require a username and password.
Password is used for the base64 string
see: CFLogin Security Considerations
But why is the password needed for the base64 string? I don't know...