Using the cm encryptpasswords
utility will encrypt all passwords (to be more strict, the hash
values of the passwords) stored in the database with a 256 bit key on basis of the AES algorithm (Rijndael).
When starting the utility, make sure that the corresponding CoreMedia Content
Server is not running.
Encrypting the passwords of a Replication Live Server needs slightly more care:
Set the property
replicator.enable
in the filereplicator.properties
tofalse
.Start the server.
Wait until the initial replication is complete.
Stop the server.
Encrypt the passwords with
cm encryptpasswords
.Set the property
replicator.enable
in the filereplicator.properties
back totrue
.
The utility program is executed with:
cm encryptpasswords -encrypt
During operation, the utility writes some output to indicate the progress of encryption.
The generated key is written to the file
$INSTALL_DIR/etc/keys/<databasename>.<dbuser>.rijndael
. Do not delete this key file
and instead make sure that a backup exists in a safe place. Without the file, it is no longer possible to log
in. You must copy this file to the Content Server installation under WEB-INF/etc/keys
(The path
can be configured by setting the property cap.server.encryptpasswords.keyfile
in
contentserver.properties
). If you want to install a new server and you still want to use the old database
the key file from the old installation must be present in the new installation. Likewise, if you want to
install and use a new database you have to delete the key file. Otherwise, the program would try to decrypt the
new decrypted passwords.
When the utility is used more than once, the passwords will be re-encrypted with a new key. No harm can occur.
If you want to revert to decrypted passwords, run the following command and remove the key file from the server installation afterwards:
cm encryptpasswords -decrypt