Overview
PhixFlow uses a Java keystore and associated secret service for data that needs to be secure. When PhixFlow is installed, the keystore is created and the username and password for the PhixFlow database are added. The instructions for this are in Configure a Keystore and Keys.
Additional details that we recommend you store in the keystore are:
- a pepper key used to encrypt local user passwords
- where external authorisation is required, usernames and passwords for:
You can then use an alias or key to retrieve the data from the keystore.
Note |
---|
This documentation assumes that each PhixFlow instance has it's own unique keystore. If you run multiple instances on the same server, using a single keystore, we recomend that each instance has its own security information in the keystore. Ensure that aliases are unique and ideally are named to indicate which instance they relate to. |
Panel | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|
Adding Data to the Keystore
To add data to the keystore, use the Java keytool -importpass
line command. From a command prompt:
- Enter the
-importpass
command, specifying an alias/key. - When the keytool prompts, enter the keystore's password.
- When the keytool prompts again for a "password", enter the data, usually a user name or password.
For example:
- The keystore is called
secret.jks
... what's our default called ... - The keystore password is
secretpass
- The datasource instance details you want to store are:
- username
sqluser
, wth the keydb1
- password
x34!2axf
with the keydb1pass
- username
Windows example:
Expand | ||
---|---|---|
| ||
|
Expand | ||
---|---|---|
| ||
|
Pepperkye
If you have local users you also need to set up a Pepperkey
Wikipedia article on Pepper Encrytption
Datasource instances or email
todo
Keytool Syntax
For reference, here is the keytool command syntax.
Code Block |
---|
<keytool> -importpass -alias <key> -keystore <file> -storetype <type> |
where
<keytool>
depends on OS or command tool:<keytool>
- in the Windows command prompt
"%JAVA_HOME%\bin\keytool.exe"
- in Windows PowerShell
- in the Windows command prompt
-
&"$env:JAVA_HOME\bin\keytool.exe"
-
- in Linux
$JAVA_HOME/bin/keytool
- in Linux
<key>
The alias/key for a username or password.
After you enter an alias, the keytool prompts you to enter the corresponding data, usually a username or password.
- <file> is the full path to the keystore file, for example:
- Windows
C:\secure\name.jks
- Windows
- Linux
/opt/secure/name.jks
- Linux
- <type>Either PKCS12 (recommended) or JCEKS.
is a key/alias for something you want to store. Use this to retrieve the encrypted data.<key>
After you enter a
, the keytool always prompts for a password. This is because the keytool does not <key>
distinguish between the secrets that it stores
so it always prompts for a "password". Sometimes you will need to enter a username and others a password.. At the prompt, enter the actual value you want to store securely, usually a username or a password.
Understanding How PhixFlow Uses A Keystore
This section illustrates how PhixFlow uses a keystore to access its own database.
When PhixFlow is running, it provides the account credentials to its database as follows:
- phixflow-datasource.xml stores alias credentials for the database. It requests actual credentials from phixflow-secret.xml.
- phixflow-secret.xml asks the keystore for the actual credentials.
- The keystore password is configured as an environment variable This file stores the location of the keystore file and optionally its password (2a in the diagram below).
- Alternatively, phixflow-secret.xml stores the location of the keystore file and optionally its password (2b in the diagram below)
- The keystore file returns the actual account credentials to phixflow-secret
- which, in turn, passes the actual credentials to phixflow-datasource.xml.
- phixflow-datasource.xml then uses the actual credentials to log into the database, so that PhixFlow can update it.
This is shown in the diagram below.
How PhixFlow authenticates to its database using a keystore
Details used in the diagram | ||
---|---|---|
Keystore file name | hidden.jks | |
Keystore password | storepw | |
Environment variable name | KEY_PASS | |
Environment variable value (the keystore password) | storepw | |
PhixFlow database credentials | Username | Password |
Actual |
| P*59word |
Alias | phixflow-database-user | phixflow-database-password |
Possibly another page??
Local User Password Encrytption
PhixFlow users can be set up as
- external - all user authentication and permissions are handled externally for example by a SAML single-sign-on service or Active Directory.
- mixed - user authentication is handled externally but a assigned to user groups in PhixFlow, which handle permissions
- local - both user authentication and permissions are handled locally
For local users only, you can configure an added layer of security. PhixFlow one-way encrypts user passwords and the answers to user security questions.
- security answers: normalized Bcrypt - this changes all letters to lower case and removes spaces before encrytpting. It does not use the pepepr key, so security answers will work if the user account is imported to another instance
- user passwords: pepper key Bcrypt
- this requires an exact match, case/spaces etc
AND uses a pepper key from the keystore to get an additional string to add to the password. The pepper key is tied to the PhixFlow instance
Note You can export/import user accounts from one instance to another. However their passwords will not work in the new instance because the pepperkey will be different. The user will need to have their password reset in the import instance.
To check a passowrd or answer, PhixFlow identifies which method has been used to encrypt it, and uses the same method to encrypt the string supplied by the user. PhixFlow then compares the two encrypted versions and ensures these match.
In version 8.3.0 PhixFlow switched to using Bcrypt as its method of encrypting data.
phixflow-login.xml includes a list for the encoders. Phixflow will check for
Bcrypt
legacy (used prior to 8.3.0
startup - used for the initital administrator login to a new installation
How to move passwords to the new encoder
For PhixFlow instances upgraded to 8.3.0
Your local users will have passwords and security questions that require the legacy encoder. You can continue to run with this. However, to ensure your system is using the more secure Bcrypt and one-way encoding we recommend users change their passwords and their security answers as soon as possible.
When a user changes their password/answers, it is automatically encrypted with the new Bcrypt encode.
Making phixflow-login.xml more secure
Consider the following change
For new installations at 8.3.0 onwards, all passwords and answers will be using Bcrypt.
For upgraded instaances, when all passwords and answers are using Bcrypt
Update phixflow-login.xml to comment out the legacy line.
Warning |
---|
commenting out the legacy line will prevent any remaining passwords or answers from working. There is no way to check this in advance. If answers are still encrypted using the legacy encoder, then they will only find out if they need to reset their password. |
Consider the following change when you have an administrator login set up for your installation
Update phixflow-login.xml to comment out the startup line. This will automatically disable the startup user. If you subseqently have problems that mean you cannot log into the sytem, you can re-enable the startup user from outside PhixFlow.
Is it better to just disable it in PhixFlow
(This sounds like a security back door though)
phixflow-instance.xml knows about the pepperkey. if you want to call it something else in the keystore, remember to update it here too. - shared statement with install instructions