Sensitive Information Encryption Configuration |
During database configuration and token configuration, sensitive information such as user name and password will be recorded in the config file in plaintext, and there is a hidden danger of information leakage. For this reason, iServer, iPortal, iEdge and other products provide a script file for information encryption in the product package. You can use the script to convert sensitive information into an encrypted format and then write it into the config file to improve the security of the product.
The encryption script file is located in the 【SuperMap iServer/iPortal/iEdge installation directory】\ bin directory, where the StringEncryptionCLI.bat file (Windows platform) and StringEncryptionCLI.sh file (Linux platform) can convert the input string into an encrypted format. Here's how to use the script:
In the Windows environment, double-click to open the StringEncryptionCLI.bat file. In the Linux environment, switch to the %SuperMap iPortal_HOME%\bin directory, and enter the following command:
sh stringencryptioncli.sh
After inputting the string to be encrypted (such as the user name of the database), the script will generate the encrypted string. Copy the encrypted string to the config file to replace the original plaintext information, and then you can directly start and use iPortal.
The key in the encryption algorithm used by iServer, iPortal and iEdge supports modification. After modification, the corresponding encryption result will also change. In a highly secure environment, it is recommended that you periodically change the key and update sensitive information in the config file. The process of modifying the encryption key includes:
There are two ways to generate key:
KeyStore Explorer is an open source project for managing keystore files to create keys through an intuitive graphical interface. After downloading and installing KeyStore Explorer, follow these steps:
Open a command line window and enter the following command to create a .keystore key:
keytool -genseckey -keystore supermap.keystore -storetype jceks -storepass supermap -keyalg AES -keysize 256 -keypass supermap -alias supermap
The bold part can be modified according to the actual situation, and the set value should be remembered after modification.
After generating the key in.keystore format, modify the 【SuperMap iServer/iPortal/iEdge installation directory】\bin\StringEncryptionCLI.bat script (in Windows environment):
rem set _JAVA_OPTIONS=-Dsystem.root.keyStoreFile=/path/to/example.keystore -Dsystem.root.keyStorePassword=psw1 -Dsystem.root.keyPassword=psw2 -Dsystem.root.keyAlias=example
With the rem comment removed, the rest of the parameters are described as follows:
In the Linux environment, you need to modify the StringEncryptionCLI.sh script, and the operation is similar.
Open the 【SuperMap iServer/iPortal/iEdge installation directory】\bin\Catalina.bat script (Windows environment) and add the following after the setlocal line:
set JAVA_OPTS=%JAVA_OPTS% -Dsystem.root.keyStoreFile=/path/to/example.keystore -Dsystem.root.keyStorePassword=psw1 -Dsystem.root.keyPassword=psw2 -Dsystem.root.keyAlias=example
The parameters are described as follows:
In the Linux environment, you need to modify the Catalina. Sh script, and the operation is similar.
Note : If your iPortal is configured with a separately deployed proxy , It is also necessary to synchronously modify the 【SuperMap iPortal Proxy Installation Directory】\bin\Catalina.bat(sh) file.
This completes the modification of the encryption keys for products such as iServer, iPortal, and iEdge. You can re-encrypt sensitive information through the StringEncryptionCLI.bat (sh) and update it synchronously in the config file.