Syncrify » Knowledge base

Document information

Document ID:2183
Subject:Encrypting user passwords when using an RDBMS
Creation date:9/26/12 1:26 PM
Last modified on:9/26/12 1:58 PM


Encrypting user passwords when using an RDBMS

You can use an RDBMS to store user information in Syncrify. Besides user names and other configuration parameters, password for the user is also stored in the table. The value for the password, however, is in clear allowing anyone with access to see it.

The password is in clear by design. Imagine you are using your own website to add, modify and delete users. The only way both Syncrify and your website will be able to view/modify data in this table is if the password is in clear or both system use same algorithms to encrypt and decrypt password.

There are two options if you decide to encrypt these passwords:

Default encryption
This method is less work but is also less flexible. It only works if the build number of Syncrify server is 688 or higher. It uses a built-in encryptor in Syncrify to encrypts and decrypts passwords. Follow the steps below to use this method.
  • Stop Syncrify
  • Locate AppConfig.xml file in $INSTALL_DIR\config folder and open it any editor
  • Add a new parameter line with the following text.
      <parameter name="client.plugin.password.encryptor" type="1" value="Synametrics"></parameter>
    After modification the AppConfig.xml file should look something like:



  • Save the file
  • Restart Syncrify
  • Modify every user in Syncrify and without changing the value for the password, save the screen. This will encrypt the password in the database.
Since you are not familiar with the algorithm used nor you have the encryption key, no other system can decrypt the stored password.
Custom encryption
Custom encryption allow you to write your own code. The algorithm in this code can be used on multiple systems, for example your website and Syncrify, to encrypt and decrypt passwords. Follow the steps below to use this method.
  • Code must be written in Java
  • All you need is one class file that implements this interface.
  • You can use SyncrifyServer.jar file in your CLASSPATH during compilation, which already has this file in it.
  • Once your code is compiled, compress the .class files in a JAR file and place that JAR file in $INSTALL_DIR/libs folder.
  • Once done, modify the AppConfig.xml file with the following line:
      <parameter name="client.plugin.password.encryptor" type="1" value="com.xyz.YourClassName"></parameter>
    Replace com.xyz.YourClassName with the actual class name.
  • Save the file
  • Restart Syncrify
  • Modify every user in Syncrify and without changing the value for the password, save the screen. This will encrypt the password in the database.




User comments

Posted by Arno Schatz on 10/17/12 9:06 AM

Hi, I reviewed your interface for custom encryption and I am scatching my head, why you need the method to decrypt the password. For verifying the passwords you should encrypt both passwords and compare the encrypted strings. So why you need the decrypt funktion? regards, Arno


Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users? Please add it below. Your name and tip will appear at the end of the document text.
Your name:
Your email:
Hide my email address
Verification code:
Enter the verification code you see above more submitting your tip
Tip:Please limit tips to 1000 characters

Navigation

Social Media

Powered by 10MinutesWeb.com