On this page:

Target audience:

CAST Administrators

Summary: this page describes how to encrypt logins and passwords for 1) connecting to database servers and 2) when configuring Active Directory authentication.

Introduction

When configuring CAST Application Analytics / Engineering Dashboards or RestAPI connections to RDBMS/CSS database servers (i.e. Measurement or Dashboard Services) or to an LDAP server for Active Directory login mode (see Installing and configuring the CAST Application Analytics Dashboard, Installing and configuring the CAST Application Engineering Dashboard and Installing and configuring the CAST-RestAPI.war) logins and passwords are defined in the relevant configuration files in clear text. This therefore represents a potential security risk. If your organization requires these logins and passwords to be encrypted, you can use the following instructions to do so.

Note that this document already assumes that you have a working connection to your deployed dashboard or RestAPI.

Encrypting access to RDBMS/CSS database servers

To encrypt the login and password that are defined when configuring access to the RDBMS/CSS database server where your Measurement or Dashboard Services are located, please proceed as follows:

AAD - http://<server>:[<port>]/CAST-AAD/static/key.html
AED - http://<server>:[<port>]/CAST-AED/static/key.html
RestAPI - http://<server>:[<port>]/CAST-RestAPI/static/key.html

AAD - %CATALINA_HOME\webapps\CAST-AAD\META-INF\context.xml
AED - %CATALINA_HOME\webapps\CAST-AED\META-INF\context.xml
RestAPI - %CATALINA_HOME\webapps\CAST-RestAPI\META-INF\context.xml
<Resource name="jdbc/domains/AAD" url="jdbc:postgresql://localhost:2280/postgres"
    initConnectionSqls="SET search_path TO CAST_MEASURE;"
    username="operator" password="CastAIP"
                      
    auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
    validationQuery="select 1"
    initialSize="5" maxActive="20" maxIdle="10" maxWait="-1"/>
key="D228ED8B5E5690B3A75"
Tomcat 7: factory="com.castsoftware.adg.webservice.security.BasicDataSourceFactory"
Tomcat 8/8.5: factory="com.castsoftware.adg.webservice.security.BasicDataSourceFactory2"
<Resource name="jdbc/domains/AAD" url="jdbc:postgresql://localhost:2280/postgres"
    initConnectionSqls="SET search_path TO CAST_MEASURE;"
    key="D228ED8B5E5690B3A75"
    factory="com.castsoftware.adg.webservice.security.BasicDataSourceFactory"

	auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
    validationQuery="select 1"
    initialSize="5" maxActive="20" maxIdle="10" maxWait="-1"/>
You may need to repeat the above for each database server resource you have configured in the context.xml file.

Encrypting access to an Active Directory LDAP server

When configuring access to an LDAP server for Active Directory authentication, an Active Directory user and password must be specified in the web.xml file in clear text as described in Installing and configuring the CAST Application Analytics Dashboard, Installing and configuring the CAST Application Engineering Dashboard and Installing and configuring the CAST-RestAPI.war):

    <context-param>
        <description>Active directory: user</description>
        <param-name>authentication.activedirectory.login</param-name>
        <param-value>[user@domaine.societe.com]</param-value>
    </context-param>
    
    <context-param>
        <description>Active directory: password</description>
        <param-name>authentication.activedirectory.password</param-name>
        <param-value>[password]</param-value>
    </context-param>

To avoid the need to do this, please proceed as follows:

AAD - http://<server>:[<port>]/CAST-AAD/static/key.html
AED - http://<server>:[<port>]/CAST-AED/static/key.html
RestAPI - http://<server>:[<port>]/CAST-RestAPI/static/key.html

Note that if you previously entered the username in the format "username@domain.company.com" (as oppose to "username" in the web.xml, you MUST also enter the username in the format "username@domain.company.com" here.

AAD - %CATALINA_HOME\webapps\CAST-AAD\WEB-INF\application-security-activedirectory.xml
AED - %CATALINA_HOME\webapps\CAST-AED\WEB-INF\application-security-activedirectory.xml
RestAPI - %CATALINA_HOME\webapps\CAST-RestAPI\WEB-INF\application-security-activedirectory.xml
<bean id="activeDirectoryServer" class="com.castsoftware.adg.webservice.security.LdapSpringSecurityContextSource">
    <constructor-arg value="${authentication.activedirectory.ldapurl}"/>  
    <property name="userDn" value="${authentication.activedirectory.login}"/>  
    <property name="password" value="${authentication.activedirectory.password}"/>
    <!-- <property name="key" value="0AC811..."/>-->
    <property name="baseEnvironmentProperties">
        <map>
            <entry key="java.naming.referral" value="follow" />
        </map>
    </property>
</bean>
<bean id="activeDirectoryServer" class="com.castsoftware.adg.webservice.security.LdapSpringSecurityContextSource">
    <constructor-arg value="${authentication.activedirectory.ldapurl}"/>  
    <!--<property name="userDn" value="${authentication.activedirectory.login}"/> --> 
    <!--<property name="password" value="${authentication.activedirectory.password}"/> -->
    <property name="key" value="0AC81167899"/>
    <property name="baseEnvironmentProperties">
        <map>
            <entry key="java.naming.referral" value="follow" />
        </map>
    </property>
</bean>

Optional

If you have previously configured Active Directory mode without encryption (i.e. username and password visible in the web.xml configuration file), browse to the following file to adjust the user and password used to access the Active Directory LDAP server:

AAD - %CATALINA_HOME\webapps\CAST-AAD\WEB-INF\web.xml
AED - %CATALINA_HOME\webapps\CAST-AED\WEB-INF\web.xml
RestAPI - %CATALINA_HOME\webapps\CAST-RestAPI\WEB-INF\web.xml
    <context-param>
        <description>Active directory: user</description>
        <param-name>authentication.activedirectory.login</param-name>
        <param-value>JHU@domaine.societe.com</param-value>
    </context-param>
    
    <context-param>
        <description>Active directory: password</description>
        <param-name>authentication.activedirectory.password</param-name>
        <param-value>some_password</param-value>
    </context-param>
    <context-param>
        <description>Active directory: user</description>
        <param-name>authentication.activedirectory.login</param-name>
        <param-value>[NOT USED - see application-security-activedirectory.xml]</param-value>
    </context-param>
    
    <context-param>
        <description>Active directory: password</description>
        <param-name>authentication.activedirectory.password</param-name>
        <param-value>[NOT USED - see application-security-activedirectory.xml]</param-value>
    </context-param>