Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

Summary: this page describes how to encrypt logins and passwords for the CAST dashboards/RestAPI:

  1. when connecting to database serversCAST Storage Service/PostgreSQL
  2. when configuring LDAP authentication

...

When configuring CAST dashboard / RestAPI connections to RDBMS/CSS database servers CAST Storage Service/PostgreSQL (i.e. Measurement or Dashboard Service schemas) or to an LDAP server for corporate login mode, logins and passwords are defined in the relevant configuration files in clear text. This therefore represents a potential security risk. If your organization requires these logins and passwords to be encrypted, you can use the following instructions to do so.

Info
Note that this document already assumes that you have a working connection to your deployed CAST dashboard or RestAPI.

Encrypting access

...

to CAST Storage Service/PostgreSQL

Info
Note that in WARs delivered in CAST AIP ≥ 8.3.4 and all CAST Dashboard Packages, database server credential encryption is only supported for Apache Tomcat 8 or above.

To encrypt the login and password that are defined when configuring access to the RDBMS/CSS server the CAST Storage Service/PostgreSQL instance where your Measurement or Dashboard Service schemas are located, browse to the following URL to access the built in login/password key generation page:

...

Login with a user (whether static list or Active Directory) that has the ADMIN role - by default no users have this role in either static list mode or in Active Directory mode - see User authentication for more information.

When successfully authenticated, you now need to enter the credentials (login and password) for your target RDBMS/CSS database server target  CAST Storage Service/PostgreSQL instance (that you would ordinarily enter into the context.xml file for configuring access to the Measurement or Dashboard Service) and that you wish to encrypt. In the example below, we have entered the default credentials for a CSS database server CAST Storage Service/PostgreSQL instance:

Now click the Encrypt button - CAST will then generate a key that relates to the credentials you entered:

...

Code Block
languagetext
WARs delivered in CAST AIP 8.3.04 and - 8.3.3:
 
Tomcat 7: factory="com.castsoftware.adg.webservice.security.BasicDataSourceFactory"
Tomcat 8/8.5all standalone CAST Dashboard Packages:

Tomcat ≥ 8 only: factory="com.castsoftware.adg.webservice.security.BasicDataSourceFactory2BasicDataSourceFactory"


WARs delivered in CAST AIP 8.3.40 and all CAST Dashboard Packages:

Tomcat ≥ 8 only- 8.3.3:
 
Tomcat 7: factory="com.castsoftware.adg.webservice.security.BasicDataSourceFactory"
Tomcat 8/8.5/9: factory="com.castsoftware.adg.webservice.security.BasicDataSourceFactoryBasicDataSourceFactory2"

Your database access resource should now look like this (this is an example for Tomcat 8 in CAST AIP ≥ 8.3.4 and all standalone CAST Dashboard Packages):

Code Block
languagexml
<Resource name="jdbc/domains/AAD" url="jdbc:postgresql://localhost:2280/postgres"
    initConnectionSqls="SET search_path TO CAST_MEASURE;"
    key="D228ED8B5E5690B3A75"
    factory="com.castsoftware.adg.webservice.security.BasicDataSourceFactory"

	auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
    validationQuery="select 1"
    initialSize="5" maxActive="20" maxIdle="10" maxWait="-1"/>

Save the file, reload the cache (see Reload the cache) and then reload your CAST dashboard / RestAPI and ensure you can login and view the data you need to.

...

When configuring access to an LDAP server for authentication, an LDAP user and password must be specified in thesecurity.properties file in clear text as described in User authentication:

Code Block
languagetext
security.ldap.account.dn=cn=serviceaccount,dc=example,dc=com
security.ldap.account.password=password

...

Login with a user (whether Default Authentication or LDAP) that has the ADMIN role - by default no users have this role in either mode - see User authentication for more information:

When successfully authenticated, you now need to enter the credentials (login and password) for your LDAP server (that you would ordinarily enter into the security.properties file for configuring LDAP mode) and that you wish to encrypt. In the example below, we have entered the required LDAP credentials:

...

Save the file, reload the cache (see Reload the cache) and then reload your CAST dashboard / RestAPI and ensure you can login and view the data you need to.

What happens if the LDAP credentials change (new password)?

If your LDAP credentials change, for example a new password is generated on the LDAP server, then access to the the CAST Dashboard for any LDAP user will fail. As such the encryption key for the new credentials will need to be regenerated in the key.html page, however, this page requires authentication therefore it will not be accessible in order to generate a new key. This can only be resolved by:

  • temporarily restoring access using a login and password, i.e. removing the security.ldap.account.key line from security.properties and re-adding the security.ldap.account.dn and security.ldap.account.password lines.
  • accessing key.html and encrypting the new login/password into a key.
  • removing the security.ldap.account.dn and security.ldap.account.password lines from security.properties and re-adding the security.ldap.account.key line with the new key.