We currently have passwords in the sts.properties file that are in clear text. In this topic, we will encode those passwords using either the genpassword or the stspwdutil utility that are available with the OpenEdge Authentication Gateway.

Creating encoded passwords

To encode the password for sts.server.keyfilepassword=password found in the oeauthserver\webapps\ROOT\WEB-INF\config\sts.properties file:

  1. Verify the password for sts.server.keyfilepassword in the sts.properties file. It should read as password.
  2. Generate the encoded value of "password" using the genpassword utility, for example:
    proenv>genpassword -prefix ae2h4 -password password
    The following example shows the encoding output using one of the many supported encoding algorithms:
    proenv>genpassword -prefix ae2h4 -password password
ae2h4::a9cf56a1565721ce9a0628cd1297f8d01b5290ea2b2d5585974c7589eb07415d75906cc1ca9f4f53b05bce76b3a2756a
  3. Modify your sts.properties file using a text editor, add the output generated using the genpassword command in Step 2, for example:
    sts.server.keyfilepassword=ae2h4::a9cf56a1565721ce9a0628cd1297f8d01b5290ea2b2d5585974c7589eb07415d75906cc1ca9f4f53b05bce76b3a2756a
  4. Stop, clean, and restart the Authentication Gateway server:
    proenv>cd C:\OpenEdge\WRK\oeauthserver\bin
proenv>tcman pasoestart -restart
  5. On your database machine, verify you can still log into the database using the local operating system credentials of the Authentication Gateway server, for example:
    proenv>cd %WRKDIR%\db
proenv>mpro sports2020 -U adminOScredentials@local -P adminOSpassword

Creating encoded password for LDAP configuration

When LDAP is used as the third-party authentication source, you need to use a Java standard that LDAP can understand, which is provided by the stspwdutil tool.

Although we don’t have LDAP configured in this workshop (yet), we will go through the steps that can be used to encrypt the sts.ldap.context.password that can be used with an LDAP server:

  1. Verify the password for sts.ldap.context.password=secret in the sts.properties. It should read “secret”, as that is the general default password for LDAP servers.
  2. Generate the encrypted value using stspwdutil:
    proenv>stspwdutil encrypt secret
oeph0::C7580909560800DBCBD60808A618A1B6
  3. The stspwdutil tool can also have a key pad ID of 0 – 9. If no value is set, the default is 0. For example, using a key pad ID of 5:
    proenv>stspwdutil encrypt secret 5
oeph5::8ADD701874613EE778988A41E6EB26DE
  4. Modify the LDAP context password in the sts.properties file with one of the values you generated, for example: 
    sts.ldap.context.password=oeph5::8ADD701874613EE778988A41E6EB26DE

Summary

In this topic, we replaced all clear text passwords in the sts.properties file with either encoded (using genpassword) or encoded (using stspwdutil) values.