It is now possible to enable a strong password encryption mode in Adelia Middleware configuration files. The aim of this operation is to make decryption impossible in general situations (when there is no private encryption key for the client configuration file, or by using password hashing when it does not need to be kept).
Passwords are RSA encrypted by the server's public key when possible (servers on which the TLS is configured), or stored in hash form when it is not necessary to be able to decrypt them.
File encryption
MWCLIENT.INI file
- The passwords of physical servers are RSA encrypted using the server's key if the server supports TLS (so are impossible to decrypt without the server's private key) or in AES if not.
- The other passwords are AES encrypted with a generated key.
MWSERVER.INI file
- The passwords of Adelia users are not encrypted but are saved in SHA-256 hash form. Therefore, they cannot be decrypted by construction.
- Other passwords (database, LDAP connection profiles) are RSA encrypted if a key is provided, and AES encrypted if not.
Using in *LOCAL mode
If the MWSERVER.INI file is RSA encrypted (database passwords), you must install the encryption key used to encrypt the file on client machines. See Middleware operating in TLS mode section for more details.
- In Windows, the adelia-middleware-key.key key file is searched for in the access path. If you use another key file, you must specify it using ADELIA_SERVER_KEY environment variables. Additional parameters cannot be passed to a Windows client process.
- In Java, the key file must be configured on the command line like it would be for the daemon (-Dadelia.middleware.key or use default keystore).