Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This page is for administrators who need to migrate local user information to use BCrypt encryption.

Overview

PhixFlow users can be set up as:

  • external - all user authentication and permissions are handled externally for example by a SAML single-sign-on service or Active Directory.
  • mixed - user authentication is handled externally but a assigned to user groups in PhixFlow, which handle permissions
  • local - both user authentication and permissions are handled locally.


Sections on this page

For local users, in version 8.3.0, PhixFlow's encryption method was upgraded to one-way encrypt:

  • Security answers using normalized Bcrypt.
    • This changes all letters to lower case and removes spaces before encrytpting.
    • It does not use the pepper key, so security answers will work if the user account is imported to another instance.
  • User passwords using a pepper key and Bcrypt.
    • This requires an exact string match for the password.

    • The pepper key is specific to the PhixFlow instance, and is stored in the keystore.

      You can export/import user accounts from one instance to another. However user passwords will not work in the new instance because the pepper key will be different. The user will need to have their password reset in the import instance.

After upgrading to 8.3.0, new or reset passwords and security answers automatically use the Bcrypt method.

Passwords and security answers that were created in older versions of PhixFlow were encrypted using the previous encryption method. These will continue to work because the configuration file phixflow-instance.xml has a list of all the encryption methods.

phixflow-instance.xml encryption configuration
<bean id="passwordEncoder" class="com.accipia.centerview.util.security.ConfigurablePasswordEncoder">
  <property name="matchEncoders">
    <list>
      <ref bean="pepperedBcrypt" />
      <ref bean="legacyEncoder" />
      <ref bean="startupEncoder" />
    </list>
  </property>
  <property name="setterEncoder" ref="pepperedBcrypt" />
</bean>

To check a passoword or security answer, PhixFlow identifies which method has been used to encrypt it. It then uses the same method to encrypt the string supplied by the user. PhixFlow then compares the two encrypted versions and ensures these match.

How to Migrate Security Information

As Bcrypt is more secure, we recommend all security information is migrated to Bcrypt as soon as possible.

To do this, all users must change their passwords and their security answers.

Removing Old Encoders

You can update phixflow-instance.xml to remove old encoders when:

  • At least one administration user can log into PhixFlow;.
    This means the startup user is no longer required.
  • You installed a new version of PhixFlow version 8.3.0 or later.
    This means all passwords and security answers automatically use BCrypt encryption
  • After upgrading to 8.3.0 or later, all users updated their passwords and security answers.
    This means all existing passwords and security answers have been migrated to use BCrypt encryption.

There is no way to check if passwords or security answers are still using the legacy encoder. Removing the old encoders from phixflow-instance.xml will disable passwords or security answers that still use the legacy encoder.  

  1.  In your PhixFlow installation directory,  go to webapp/WEB-INF/classes/ and edit phixflow-instance.xml
  2. Find the bean: <bean id="passwordEncoder"
  3. Delete the lines
    • <ref bean="legacyEncoder" /> to disable passwords or security answers that do not use BCrypt
    • <ref bean="startupEncoder" /> to disable the startup user account.

For passwords disabled by this process, users can reset their password; see Password Reset.

If you subsequently need to reinstate these encoders, you can copy them from webapp/WEB-INF/classes/phixflow-instance-example.xml.

About the Pepper Key

The pepper key for your PhixFlow instance is created at installation or uprade to 8.3.0. If you are unfamiliar with the concept of a pepper key, see Wikipedia article on Pepper Encrytption.

Once it is set, all new or reset passwords have the pepper key added to them. The pepper key itself is stored in the keystore; see Adding Data to a Keystore. The pepper key alias is stored in phixflow-instance.xml.

Do not change the pepper key as this will disable all user passwords, including administrator passwords.

  • No labels