How do I encrypt passwords in FME Server configuration files? Specifically, I want to encrypt the PFX file password used to setup HTTPS for FME Server. I've seen that there's a parameter in fmeServerConfig.txt for ENABLE_PUBLISHED_PARAMETER_ENCRYPTION. How would I generate encrypted passwords to store in the config file, and would setting this parameter to TRUE then decrypt them and let FME server run properly?
Question
How do I encrypt passwords in FME Server configuration files? Specifically, I want to encrypt the PFX file password used to setup HTTPS for FME Server.
If someone has access to your Tomcat server.xml, the plain text value of your SSL certificate password might be only the beginning of your worries, honestly.
However, take a look in the Tomcat documention or on relevant forums for ideas, e.g.: https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password
david_r wrote:
If someone has access to your Tomcat server.xml, the plain text value of your SSL certificate password might be only the beginning of your worries, honestly.
However, take a look in the Tomcat documention or on relevant forums for ideas, e.g.: https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password
Thank you @david_r. I agree, if someone has access to that and knows how to abuse it, we're in far bigger trouble. The fixes in the link you shared are informative and if we end up pursuing it further that's where I'll start. Our client wants to know if the password is encryptable without customizing, so I have that answer. I expect what we'll do is create an SSL certificate just for the FME server rather than using the wildcard domain certificate. It would at least limit the damage having that one certificate could do, theoretically. Thanks again for your prompt response!
chuck.harris wrote:
Thank you @david_r. I agree, if someone has access to that and knows how to abuse it, we're in far bigger trouble. The fixes in the link you shared are informative and if we end up pursuing it further that's where I'll start. Our client wants to know if the password is encryptable without customizing, so I have that answer. I expect what we'll do is create an SSL certificate just for the FME server rather than using the wildcard domain certificate. It would at least limit the damage having that one certificate could do, theoretically. Thanks again for your prompt response!
+1 for using a server specific certificate rather than a wildcard certificate.
Reply
Most helpful members this week
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.