| Code Block |
|---|
<keytool> -importpass -alias <keyAlias> -keystore <pathToKeystoreFile> -storetype <keytype> |
To add -usernameKey <userkey> and -passwordKey <passkey>
| Where: | Is |
|---|
<keytool>Windows command prompt | "%JAVA_HOME%\bin\keytool.exe" | | Windows PowerShell | &"$env:JAVA_HOME\bin\keytool.exe" |
| Linux | $JAVA_HOME/bin/keytool |
<keyAlias>
| The alias for a username or password. The phixflow-secret.xml configuration file refers to the <keyAlias> so that PhixFlow knows which encrypted secret to retrieve from the keystore. After you enter an alias, the keytool prompts you to enter the corresponding username or password. This is the actual value that the database requires to permit access. |
| <pathToKeystoreFile> | The full path to the keystore file, for example: - Windows -
C:\secure\name.jks - Linux -
/opt/secure/name.jks
|
| <keytype> | Either PKCS12 or JCEKS. |
| Tip |
|---|
The keytool does not differentiate between the secrets it stores so it always prompts for a password. Sometimes you will need to enter a username and others a password. The following instructions explain which you need to enter. |
Step 1 Create the keystore and the alias for | Tip |
|---|
When you run the keytool -importpass command, it always prompts for a "password". This is because the keytool does not distinguish between the secrets that it stores. At the prompt, enter the actual value you want to store securely. |
If you are creating the keystore on Windows, you must use the backslash \ in the path. PhixFlow will not be able to read the pepper key value if you use the forward slash /.
| Note |
|---|
If you have follow the recommended instructions for installing Java (Install Java) the keytool program will be in your path. If you have take a different approach, you can find the keytool program under JAVA_INSTALLATION_HOME/bin. |
- Run the
-importpass command, specifying the alias: pepperkey
The alias is case-sensitive and must match phixflow-instance.xml: <prop key="pepperkey">pepperkey</prop>
When prompted, enter the password you want to set for the keystore file, then re-enter to confirm it.
Keep a secure record of this password.
| Tip |
|---|
If you are following these instructions to upgrade PhixFlow, and your keystore already exists, in step 2 enter the password for your keystore.
See also: Adding Data to a Keystore |
- When prompted for the password, enter the string you want to use to pepper user passwords.
We recommend this string has the same characteristics as a password. For example it should be a random string containing at least 6 letters, numbers and special characters.
Keep a secure record of the pepper key.
| Code Block |
|---|
| title | Windows Command Line Example |
|---|
|
keytool -importpass -alias pepperkey -keystore C:\secure\keystore.jks -storetype PKCS12 |
| Code Block |
|---|
| title | Windows Powershell Example |
|---|
|
keytool -importpass -alias pepperkey -keystore C:\secure\keystore.jks -storetype PKCS12 |
| Code Block |
|---|
|
keytool -importpass -alias pepperkey -keystore /opt/secure/keystore.jks -storetype PKCS12 |
1.1 Run the -importpass command. In <keyAlias> specify , specifying the alias username for the PhixFlow database, for example phixflow-database-user.
1.2 When prompted, enter the keystore password.
1.3 When prompted for the password, enter the actual username for the PhixFlow database, for example phixflow.
| Code Block |
|---|
| title | Windows Command Line |
|---|
|
keytool -importpass -alias phixflow-database-user -keystore C:\secure\keystore.jks -storetype PKCS12 |
| Code Block |
|---|
"%JAVA_HOME%\bin\keytool" |
|---|
| title | Windows Powershell Example |
|---|
|
keytool -importpass -alias phixflow-database-user -keystore C:\secure\hiddenkeystore.jks -storetype PKCS12 |
:| Code Block |
|---|
$JAVA_HOME/bin/ |
keytool -importpass -alias phixflow-database-user -keystore /opt/secure/hiddenkeystore.jks -storetype PKCS12 |
1.2 When prompted, enter the password you want to use for the keystore file, then re-enter to confirm it.
1.3 When prompted for the password or secret to be stored, enter the actual username for the PhixFlow database, for example phixflow. 2.1. Repeat Run the -importpass command . In <keyAlias> specify specifying the alias password for the PhixFlow database, for example phixflow-database-password.
2.2 When prompted, enter the keystore password.
Windows:
| Code Block |
|---|
"%JAVA_HOME%\bin\keytool"2.3 When prompted for the password, enter the actual password for the PhixFlow database.
| Code Block |
|---|
| title | Windows Command Line Example |
|---|
|
keytool -importpass -alias phixflow-database-password -keystore C:\secure\hiddenkeystore.jks -storetype PKCS12 |
Linux:
| Code Block |
|---|
$JAVA_HOME/bin/| title | Windows Powershell Example |
|---|
|
keytool -importpass -alias phixflow-database-password -keystore C:\secure\hiddenkeystore.jks -storetype PKCS12 |
2.2 When prompted, enter the password for the keystore file. This is the same password you set in step 1.2. This time the password opens the keystore.
2.3 When prompted for the password or secret to be stored, enter the actual password for the PhixFlow database.
Step 3 | Code Block |
|---|
|
keytool -importpass -alias phixflow-database-password -keystore /opt/secure/keystore.jks -storetype PKCS12 |
The configuration process differs between version 10 and version 11.
Please follow the relevant instructions below.
| Expand |
|---|
|
The following settings need to be configured in local.properties or as environment variables. | Insert excerpt |
|---|
| Server Configuration Properties |
|---|
| Server Configuration Properties |
|---|
| name | Keystore |
|---|
| nopanel | true |
|---|
|
|
| Expand |
|---|
|
Edit phixflow-datasource.xml to add the aliases for the PhixFlow database username and password. For example: | Code Block |
|---|
<property name="username">
<value>phixflow-database-user</value>
</property>
<property name="password">
<value>phixflow-database-password</value>
</property> |
|
4 | Note |
|---|
We recommend that you use an environment variable for the keystore password, as it provides additional security.
If you do not set an environment variable, you must include the keystore password in phixflow-secret.xml. |
Create an environment variable with the form <variable-name>: <keystore-password>
| In Windows | In Linux |
|---|
<variable-name> | In Windows: In the environment variable, specify any variable name you choose. | Use the EnvironmentFile directive in the systemd service definition.
Ensure that only root can read/write EnvironmentFile. For information about how to set environment variables in Linux, see: | <keystore-password> | Specify the password for the keystore. |
| Warning |
|---|
Never add the keystore password to the profile for the Tomcat user. |
|
5 Copy phixflow-secret.xml.example to phixflow-secret.xml and edit it to set the values as follows: | Required? | Property | Value | Example |
|---|
| Required | keystoreType | The type of the keystore, either PKCS12 or JCEKS | <!-- keystore type (PKCS12 or JCEKS) -->
<property name="keystoreType">
<value>PKCS12</value>
</property>
| | Required | keystoreFile | The path to the keystore. | <!-- keystore filepath -->
<property name="keystoreFile">
<value>/opt/secure/
|
|
hiddenkeystore.jks</value>
</property>
| Either
(recommended) | keystorePassEnvironmentVariable | The name of the environment variable. Use <!-- and --> to comment out the keystorePass property.
| Info |
|---|
When specifying the value for the password in an environment variable, the value entered should adhere the policy of the environment variables for your operating system. |
| <!-- keystore password -->
<property name="keystorePassEnvironmentVariable"
|
|
> <value>KEY><value>KEY_PASS</value>
</property>
| | Or | keystorePass | The password for the keystore. Use <!-- and --> to comment out the keystorePassEnvironmentVariable property. | Info |
|---|
When specifying the value for the password in the phixflow-secret.xml, special characters will need to be escaped. |
| <!-- keystore password -->
<property name="keystorePass">
<value>storepw</value>
</property>
|
| Warning |
|---|
On startup, PhixFlow checks that there is one password mechanism, |
either either keystorePassEnvironmentVariable or keystorePass |
|
See
Add security for user passwords.
You only need to do this if you have local users.
It is not possible to change the password directly on the keystore file as this corrupts its values. Instead we recommend creating a new keystore file and importing the original values into it.
The process to create a new keystore is:
- Tomcat needs to be stopped.
- Rename your original keystore file e.g.
keystoreOld.jks. - Use the importkeystore command to import the existing keystore into a a new keystore, at which point you will be prompted for the password for the original keystore and then a new password for the new keystore.
- Give the new keystore the original keystore's name e.g.
keystore.jks.
- Depending on your configuration, you will need to update local.properties, phixFlow-secret.xml or the environment variable, with the new keystore password.
| Code Block |
|---|
| title | Linux |
|---|
| linenumbers | true |
|---|
|
keytool -importkeystore \
-srckeystore keystoreOld.jks -srcstoretype PKCS12 \
-destkeystore keystore.jks -deststoretype PKCS12 |
| Code Block |
|---|
| title | Windows |
|---|
| linenumbers | true |
|---|
|
keytool -importkeystore \
-srckeystore keystoreOld.jks -srcstoretype PKCS12 \
-destkeystore keystore.jks -deststoretype PKCS12 |