How do I encrypt passwords in FME Server configuration files? Specifically, I want to encrypt the PFX file password used to setup HTTPS for FME Server. I've seen that there's a parameter in fmeServerConfig.txt for ENABLE_PUBLISHED_PARAMETER_ENCRYPTION. How would I generate encrypted passwords to store in the config file, and would setting this parameter to TRUE then decrypt them and let FME server run properly?
How do I encrypt passwords in FME Server configuration files? Specifically, I want to encrypt the PFX file password used to setup HTTPS for FME Server.
Userlevel 5
- 8204 replies
-
9 June 2023
If someone has access to your Tomcat server.xml, the plain text value of your SSL certificate password might be only the beginning of your worries, honestly.
However, take a look in the Tomcat documention or on relevant forums for ideas, e.g.: https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password
If someone has access to your Tomcat server.xml, the plain text value of your SSL certificate password might be only the beginning of your worries, honestly.
However, take a look in the Tomcat documention or on relevant forums for ideas, e.g.: https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password
Thank you @david_r. I agree, if someone has access to that and knows how to abuse it, we're in far bigger trouble. The fixes in the link you shared are informative and if we end up pursuing it further that's where I'll start. Our client wants to know if the password is encryptable without customizing, so I have that answer. I expect what we'll do is create an SSL certificate just for the FME server rather than using the wildcard domain certificate. It would at least limit the damage having that one certificate could do, theoretically. Thanks again for your prompt response!
Userlevel 5
- 8204 replies
-
9 June 2023
Thank you @david_r. I agree, if someone has access to that and knows how to abuse it, we're in far bigger trouble. The fixes in the link you shared are informative and if we end up pursuing it further that's where I'll start. Our client wants to know if the password is encryptable without customizing, so I have that answer. I expect what we'll do is create an SSL certificate just for the FME server rather than using the wildcard domain certificate. It would at least limit the damage having that one certificate could do, theoretically. Thanks again for your prompt response!
+1 for using a server specific certificate rather than a wildcard certificate.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.