Protecting passwords on Properties files

[Carlos Antonio Ruiz Gómez]

Hi community,

An important announcement for unix-based systems.

As a way to improve the security of iDempiere application, FH has sponsored the development to protect the passwords on properties files.

IMPORTANT NOTE: if you have scripts that use idempiereEnv.properties or myEnvironment.sh to obtain some passwords then you must modify those scripts to cope with the new way.

Please take a look to this documentation page:

https://wiki.idempiere.org/en/NF8.2_Protect_Passwords_On_Properties

Regards,

Carlos Ruiz

[Nicolas Micoud]

Hi,

I can't test ATM (still on v6), but I have a question.
I'm using console-setup.sh to deploy and to avoid filling all values, I use idempiereEnv.properties from old install.

To make it clear, I do :

cp $IDEMPIERE_HOME/idempiereEnv.properties /opt

rm -rf /opt/idempiere.gtk.linux.x86_64

unzip $ZIP

cp idempiereEnv.properties $IDEMPIERE_HOME/

./console-setup.sh

And then I just press Enter on each parameter as the correct value is read.

Should I understand this won't work anymore ?

Thanks,

Nicolas

[Hiep Lq]

I think it's still work

this feature active when you pass -DIDEMPIERE_SECURE_PROPERTIES=true

Lê Quý Hiệp
Email: hie...@hasuvimex.vn
Skype: admin.hasuvimex

Company: Thanh Hoa Fishery Import - Export J.s.c  (Hasuvimex) DL 47

Add: Lot E, Le Mon Industrial Zone, Thanh Hoa, Vietnam

--
You received this message because you are subscribed to the Google Groups "iDempiere" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idempiere+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/idempiere/c5cc4305-5b01-44a9-865a-7faa707e0dc9n%40googlegroups.com.

[Nicolas Micoud]

Ok, I'll try it when migration will be done.

Thanks,

[Carlos Antonio Ruiz Gomez]

@Nicolas @Hiep

This security feature is enabled by default and it can be disabled passing as JVM parameter:

-DIDEMPIERE_SECURE_PROPERTIES=false

@Nicolas, for your case:

> To make it clear, I do :
> cp $IDEMPIERE_HOME/idempiereEnv.properties /opt
> rm -rf /opt/idempiere.gtk.linux.x86_64
> unzip $ZIP
> cp idempiereEnv.properties $IDEMPIERE_HOME/
> ./console-setup.sh
> And then I just press Enter on each parameter as the correct value is read.
> Should I understand this won't work anymore ?

It works but you need a few steps more, these would be the modified steps:

cp $IDEMPIERE_HOME/idempiereEnv.properties $IDEMPIERE_HOME/.idpass /opt

rm -rf /opt/idempiere.gtk.linux.x86_64
unzip $ZIP

cp idempiereEnv.properties .idpass $IDEMPIERE_HOME/
./silent-setup.sh

NOTE: with silent setup you don't need the "Enter on each parameter" - this was added with ticket IDEMPIERE-4620

Regards,

Carlos Ruiz

Am 07.01.21 um 08:28 schrieb Nicolas Micoud:

[Nicolas Micoud]

Hi Carlos,

Hope I'll be able to test is soon :)

Thanks,

Nicolas

[Nicolas Micoud]

Hello

Tested and validated !

silent-setup is really great

Thanks

Nicolas

[reua...@gmail.com]

I can confirm!
I have just written an update script that compiles the server product then pushes it to the remote server and replaces the existing idempiere server with the new one. 
I am using silent-setup here and it works just as expected (Migration from insecure to secured installation).
I'll have to check the migration from secured to secured and hope it will be just fine to copy the .idpass over together with the properties files.

like this: 
(...)

# copy properties over to new instance

cp "$OldServerDir"/*.properties $NewServerDir"/

cp "$OldServerDir"/.idpass $NewServerDir"/

(...)

NB: If anybody is interested I'll be happy to share the complete update script.

Andreas