Monday, 23 July 2012

And more on passwords in IBM Tivoli Directory Integrator

Want to know how to stop passwords being held in clear text in your TDI Assembly Line property files ?

Simple - add the string {protect}= to the beginning of any line that you wish to encrypt in the property file - I'm using profiles_tdi.properties in the following example.

As an example, we change: -

...
source_ldap_user_password=Passw0rd123
...

to: -

...
{protect}-source_ldap_user_password=Passw0rd123
...

and then run an Assembly Line such as populate_from_dn_file.sh ( I'm using IBM Connections as an example ), and you'll then get this: -

...
{protect}-source_ldap_user_password={encr}89ae788e9f88bbc8877a7729e99ac9d990ea
...

Now I'm not sure how strong the encryption is, so you should, as always, protect your property files via other means i.e. physical access control, Unix permissions etc.

Nice :-)

2 comments:

Eddie Hartman said...

The security is as strong as you want it. TDI can even run in 'lock-down' mode where everything is encrypted using a cert key - entire property files and Config.

And TDI supports FIPS security, a requirement since it is used by government and military organizations in the US and Europe.

-Eddie Hartman
www.tdi-users.org

Dave Hay said...

@Eddie - thanks for the clarification, that's great to know