Detections
Analytics

10.2 Ensure Passwords are Encrypted

Information

Sensitive information is stored in the Liberty configuration https://workbench.cisecurity.org/benchmarks/7724/sections/1003725 and can be in clear text unless encrypted or hashed.

Passwords should be encrypted or hashed to avoid inappropriate access to user accounts or using the passwords for unauthorized logins to remote systems such as databases or LDAP servers. Password information should also be kept in separate files with limited access to avoid unauthorized access or changes to configurations. The password encryption key also needs to be customized or a default key is used to encrypt passwords.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Use the Liberty provided securityUtility tool to encrypt the password.

To encrypt a password with Advanced Encryption Standard (AES) encryption:

securityUtility encode --encoding=aes --key=myKey passW0rd
returns: {aes}AE/PrLc9wshAKURioFvxb41SrVbsWjZTZ8lv72ioH3yMlJN4RQj3A9aT3ev396oYRw==

Replace the clear text password in the Liberty configuration https://workbench.cisecurity.org/benchmarks/7724/sections/1003725 with the encrypted password created by the securityUtility tool.

In this example, the encrypted password {aes}AE/PrLc9wshAKURioFvxb41SrVbsWjZTZ8lv72ioH3yMlJN4RQj3A9aT3ev396oYRw== was returned by the securityUtility and used to update the bindPassword attribute in the ldapRegistry element.

<ldapRegistry ...
 bindPassword="{aes}AE/PrLc9wshAKURioFvxb41SrVbsWjZTZ8lv72ioH3yMlJN4RQj3A9aT3ev396oYRw=="
</ldapRegistry>

In WebSphere Liberty, the default key that is used for encrypting and decrypting can be overridden by setting the wlp.password.encryption.key property. Make sure that you do not set this property in main Liberty configuration https://workbench.cisecurity.org/benchmarks/7724/sections/1003725 . Otherwise, the file that contains the key might be included when you run the server dump or server package commands. Instead, set the wlp.password.encryption.key property in a separate configuration file and include it in the Liberty configuration https://workbench.cisecurity.org/benchmarks/7724/sections/1003725 , as shown in the following example:

Create a file named key.xml:

<server>
 <variable name="wlp.password.encryption.key" value="myKey" />
</server>

Include it in the main Liberty configuration https://workbench.cisecurity.org/benchmarks/7724/sections/1003725 file.

<server>
 ...
 <include location="/protected/key.xml" />
</server>

Adjust the permissions on the key.xml to only users that need to access the file.

In a test or development environment where a basic registry is used, the basic registry user passwords can be hashed to be stored in the Liberty configuration https://workbench.cisecurity.org/benchmarks/7724/sections/1003725

securityUtility encode --encoding=hash basicRegUserPassword

See Also

https://workbench.cisecurity.org/benchmarks/7724

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-6, CSCv7|13.2

Plugin: Unix

Control ID: 4dc2025bcbaa2cc94d902bbaa80dde80b53c0260dcf745852a9b5e7425bb5a8b