Encrypting passwords (encrypt) v7
The encrypt command encrypts the text supplied in an input file and writes the encrypted result to a specified output file. Use the encrypt command to generate an encrypted password to copy into a text file. This text file is referenced by a Replication Server CLI command that requires a user name and the user’s password.
Synopsis
-encrypt -input <infile> -output <pwdfile> [-passwordEncryptionMethod {DES-MD5|AES-SHA256}]The text in infile is processed using an encryption algorithm, and the encrypted text is written to file pwdfile.
Make sure that infile contains only the text that you want to encrypt and that there are no extra characters or empty lines before or after the text that you want to encrypt.
Parameters
infile
The file containing the text to be encrypted.
pwdfile
The file containing the encrypted form of the text from infile.
-passwordEncryptionMethod
Defines the algorithm used to encrypt the password (DES-MD5 or AES-SHA256). If the flag is omitted, the algorith defaults to DES-MD5. To override the default DES-MD5 encryption with the FIPS-compliant AES-SHA256 encryption, use -passwordEncryptionMethod AES-SHA256.
AES-SHA256 offers stronger protection and supports FIPS, whereas DES-MD5 is backwards compatible with previous versions.
Note
Ensure you use the same encryption method in the publication and subscription servers of a replication cluster.
Examples
Encrypt a password with DES-MD5
Create a text file with your password using the editor of your choice. Here,
infilecontains the wordpassword.password
Execute the
encryptcommand to produce a file namedpwdfile.$ java -jar edb-repcli.jar -encrypt -input ~/infile -output ~/pwdfile
The content of file pwdfile contains the encrypted form of
password, namelyygJ9AxoJEX854elcVIJPTw==.Copy and paste the encrypted password into the Replication Server configuration file:
#xDB Replication Server Configuration Properties admin_password=ygJ9AxoJEX854elcVIJPTw== admin_user=admin
Encrypt a password with AES-SHA256
Create a text file with your password using the editor of your choice. Here,
infilecontains the wordpassword.password
Execute the
encryptcommand to produce a file namedpwdfile.$ java -jar edb-repcli.jar -encrypt -input ~/infile -output ~/pwdfile -passwordEncryptionMethod AES-SHA256
The content of file pwdfile contains a FIPS-compliant, AES-SHA256 encrypted form of
password, namelyBThrXGs/gVmStAV88Yl/U2UjoKXVs9qq56j1n/ZnR05Eyg48.Note
If you reran the
encryptcommand with the same password input, the generated encrypted password would be a different each time.Copy and paste the encrypted password into the Replication Server configuration file:
#xDB Replication Server Configuration Properties admin_password=BThrXGs/gVmStAV88Yl/U2UjoKXVs9qq56j1n/ZnR05Eyg48 admin_user=admin
Enable the AES-SHA256 encryption in both the
xdb_pubserver.confandxdb_subserver.conffiles by uncommenting thepasswordEncryptionMethod=AES-SHA256line.[...] #Select the encryption method used to protect database connection and replication #server passwords. The AES-SHA256 (PBEWithHmacSHA256AndAES_256) offers stronger #protection and is recommended. The default is set to DES-MD5 (PBEWithMD5AndDES) #for compatibility with the existing cluster configurations. passwordEncryptionMethod=AES-SHA256 ######################################### ### SSL Configuration ### ######################################### [...]
Change the encryption method
To change the encryption method of an existing Replication Server CLI user password, you must create a new password with the new encryption method, and then replace the password on existing objects.
In this example we change the encryption algorithm from DES-MD5 to AES-SHA256.
Follow the steps in Encrypt a password with AES-SHA256 to create new encrypted passwords and update the Replication Server, Publication and Subscription configuration files.
Replace the saved password in the control database tables.