We currently have passwords in the sts.properties file that are in clear text. In this topic, we will encode those passwords using either the genpassword or the stspwdutil utility that are available with the OpenEdge Authentication Gateway.

Creating encoded passwords

To encode the password for sts.server.keyfilepassword=password found in the oeauthserver\webapps\ROOT\WEB-INF\config\sts.properties file:

  1. Verify the password for sts.server.keyfilepassword in the sts.properties file. It should read as password.
  2. Generate the encoded value of "password" using the genpassword utility, for example:
    proenv>genpassword -prefix ae2h4 -password password
    The output is:
    ae2h4::56a5f53c1873637c4d5bb6561ff00f79fb37805d5ddf0d6b955c22af9018e3b5626d4449b815cda322d99a81eb910793
    Note: It is recommended that you use a stronger encoding method than the default.

    For more information, see Encoding prefix.

  3. Modify your sts.properties file using a text editor, add the output generated using the genpassword command in Step 2, for example:
    sts.server.keyfilepassword=ae2h4::56a5f53c1873637c4d5bb6561ff00f79fb37805d5ddf0d6b955c22af9018e3b5626d4449b815cda322d99a81eb910793
  4. Stop, clean, and restart the Authentication Gateway server:
    proenv>cd C:\OpenEdge\WRK\oeauthserver\bin
									proenv>tcman pasoestart -restart
  5. On your database machine, verify you can still log into the database using the local operating system credentials of the Authentication Gateway server, for example:
    proenv>cd %WRKDIR%\db
									proenv>mpro sports2020 -U adminOScredentials@local -P adminOSpassword

Creating encoded password for LDAP configuration

When LDAP is used as the third-party authentication source, you need to use a Java standard that LDAP can understand, which is provided by the stspwdutil tool.

Although we don’t have LDAP configured in this workshop (yet), we will go through the steps that can be used to encode the sts.ldap.context.password that can be used with an LDAP server:

  1. Verify the password for sts.ldap.context.password=secret in the sts.properties. It should read secret, as that is the general default password for LDAP servers.
  2. Generate the encoded value using stspwdutil tool:
    proenv>stspwdutil encrypt secret
									oeph0::C7580909560800DBCBD60808A618A1B6
  3. The stspwdutil tool can also have a key pad ID of 0 – 9. If no value is set, the default is 0. For example, using a key pad ID of 5:
    proenv>stspwdutil encrypt secret 5
									oeph5::8ADD701874613EE778988A41E6EB26DE
  4. Modify the LDAP context password in the sts.properties file with one of the values you generated, for example: 
    sts.ldap.context.password=oeph5::8ADD701874613EE778988A41E6EB26DE

Summary

In this topic, we replaced all clear text passwords in the sts.properties file with either encoded (using genpassword) or encoded (using stspwdutil) values.