| Insert excerpt | ||||||||
|---|---|---|---|---|---|---|---|---|
|
| Table of Contents | ||||
|---|---|---|---|---|
|
"%JAVA_HOME%\bin\keytool.exe"&"$env:JAVA_HOME\bin\keytool.exe"$JAVA_HOME/bin/keytool where
<keytool>
How PhixFlow authenticates to its database using a keystore
phixflow-instance.xml knows about the pepperkey. if you want to call it something else in the keystore, remember to update it here too. - shared statement with install instructions
Configuration in phixflow-secret.xml
phixflow-secret.xml manages PhixFlow authenticating to its own database. The username and password are stored securley in the keystore. phixflow-secret.xml holds the keys (also called aliases)
Other configuration
| Code Block |
|---|
<!-- number of retries to read keystore file -->
<property name="retries">
<value>3</value>
</property>
<!-- delay before we retry to read keystore file -->
<property name="retryDelay">
<value>10000</value>
</property> To use new CachingSecretService need to have declaration of new bean definition in phixflow-secret.xml.example |
| Details used in the diagram | ||
|---|---|---|
| Keystore file name | hidden.jks | |
| Keystore password | storepw | |
| Environment variable name | KEY_PASS | |
| Environment variable value (the keystore password) | storepw | |
| PhixFlow database credentials | Username | Password |
| Actual |
| P*59word |
| Alias | phixflow-database-user | phixflow-database-password |
| Note |
|---|
The default keystore filename set in phixflow-secret. |
Local User Password Encryption
If you have local users you also need to set up a pepper key; see Wikipedia article on Pepper Encrytption.
PhixFlow users can be set up as
- external - all user authentication and permissions are handled externally for example by a SAML single-sign-on service or Active Directory.
- mixed - user authentication is handled externally but a assigned to user groups in PhixFlow, which handle permissions
- local - both user authentication and permissions are handled locally
For local users, PhixFlow one-way encrypts:
This changes all letters to lower case and removes spaces before encrytpting. It does not use the pepper key, so security answers will work if the user account is imported to another instance
and adds a pepper key string from the keystore. The pepper key is specific to the PhixFlow instance.
| Note |
|---|
You can export/import user accounts from one instance to another. However their passwords will not work in the new instance because the pepper key will be different. The user will need to have their password reset in the import instance. |
To check a passoword or answer to a security question, PhixFlow identifies which method has been used to encrypt it. It then uses the same method to encrypt the string supplied by the user. PhixFlow then compares the two encrypted versions and ensures these match.
| Code Block |
|---|
<bean id="passwordEncoder"
class="com.accipia.centerview.util.security.ConfigurablePasswordEncoder">
<property name="matchEncoders">
<list>
<ref bean="pepperedBcrypt" />
<ref bean="legacyEncoder" />
<ref bean="startupEncoder" />
</list>
</property>
<property name="setterEncoder" ref="pepperedBcrypt" />
</bean> |
In version 8.3.0 PhixFlow switched to using Bcrypt as its method of encrypting data. All passwords and security answers that were set up in earlier versions will continue to be encrypted with the legacy encoder.
phixflow-login.xml includes a list for the encoders. Phixflow will check for
Bcrypt
legacy (used prior to 8.3.0
startup - used for the initital administrator login to a new installation
The encoding is configured in the phixflow-login.xml, in the passwordEncoder bean.
<bean id="passwordEncoder" class="com.accipia.centerview.util.security.ConfigurablePasswordEncoder"> <property name="matchEncoders"> <list> <ref bean="pepperedBcrypt" /> <ref bean="legacyEncoder" /> <ref bean="startupEncoder" /> </list> </property> <property name="setterEncoder" ref="pepperedBcrypt" /> </bean>
How to move passwords to the new encoder
For PhixFlow instances upgraded to 8.3.0
Your local users will have passwords and security questions that require the legacy encoder. You can continue to run with this. However, to ensure your system is using the more secure Bcrypt and one-way encoding we recommend users change their passwords and their security answers as soon as possible.
When a user changes their password/answers, it is automatically encrypted with the new Bcrypt encode.
Making phixflow-login.xml more secure
Consider the following change
For new installations at 8.3.0 onwards, all passwords and answers will be using Bcrypt.
For upgraded instaances, when all passwords and answers are using Bcrypt
Update phixflow-login.xml to comment out the legacy line.
| Warning |
|---|
commenting out the legacy line will prevent any remaining passwords or answers from working. There is no way to check this in advance. If answers are still encrypted using the legacy encoder, then they will only find out if they need to reset their password. |
Consider the following change when you have an administrator login set up for your installation
Update phixflow-login.xml to comment out the startup line. This will automatically disable the startup user. If you subseqently have problems that mean you cannot log into the sytem, you can re-enable the startup user from outside PhixFlow.
Is it better to just disable it in PhixFlow
(This sounds like a security back door though)
|