Sorry if this has already been answered.
I would like to encrypt part or all of my wildfire.xml file so the adminDN and adminPassword are not in clear text.
Does anyone have suggestions of how to do this?
Thanks,
Jeremy
Really the only safe way to do this would be to encrypt the filesystem the file is on. Keep in mind to decrypt the file (or contents) requires that Wildfire know about some pre-shared key. The pre-shared key is either in the source code where anyone can learn of it, or it goes on your filesystem where it must have the same level of protection you give the wildfire config itself. Really, you are best of just using the filesystem permisisons availible to you to protect that file.
Hi,
with the current Wifi release a passwordKey is stored in the database to en-/decrypt all user passwords which are stored in the database. I assume that it is not used as you are using LDAP but it should be possible to use this key to en-/decrypt the admin password and store it not as plain text in the wildfire.xml file. Anyhow someone should love to write the code to do this.
LG
I do want to emphasise that this has no final impact on actual security. If you can read that configuration file, you have access to everything needed to retrieve the password. Something to keep in mind is adding a layer of difficulty to LDAP setups will only make it harder for people to get set up. And since the added complexity dosnt add any security, Im not sure how useful it is. The correct solution is to prevent users access to that file who should not have access to it.
Hi Jay,
yes, file system based security should be used but it is sometimes not really possible (it may be possible to restore the file using a backup with wrong permissions). So it would do no harm to crypt the password.
That the database password is stored as plain text is the next problem one may want to fix without creating a chicken-egg problem…
LG
Thanks for the speedy replies!
Yes, it makes sense to use ntfs permissions to protect the file. You’'re right, if someone can see the file, they have access to everything else.
Another thing, I didn’‘t realize until this morning that it doesn’‘t have to be an admin account. Just any account that looks at the AD. So I created an account and locked it down tightly. Now I’'m a happy camper.
Thanks again for the help,
Jeremy