Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Database Performance Analyzer (DPA) > DPA password encryption settings

DPA password encryption settings

Overview

DPA provides the ability to change the cryptographic system used to encrypt sensitive information (e.g., database login and DPA user passwords). In addition to the default encryption system used by DPA in prior versions, cryptographic options are provided that use Password-Based Encryption (PBE):

  • AES 128-bit
  • AES 256-bit

PBE is a process in which a cryptographic key is derived from a "passphrase". The derived key is then used for encryption and decryption operations.

Environment

  • DPA 9.0 and later
  • Ignite 8.3 and later

Configure Encryption Settings in DPA

  1. Log in to DPA as an administrator.
  2. Click the Options menu. Then click the Administration tab and choose Password Encryption Settings.

    The DPA Password Encryption Settngs page displays two options in addition to the default encryption system (AES 128-bit and AES 256-bit). These AES options use industry-accepted PBE implementations including key derivation as defined in the RSA Labs PKCS #12 v1 specification. The encryption and decryption operations use AES with Cipher Block Chaining and PKCS #7 Padding using a 128 or 256 bit key.
     
  3. To change the encryption system used by DPA, select an option and enter a passphrase. Click the help link next to the Encryption Passphrase field to see a description of the passphrase and best practices for choosing a passphrase.
  4. Click the Update button. DPA validates the input and, upon successful validation, re-encrypts all passwords stored in DPA.

Custom Encryption Provider

In environments where the default options (AES 128 and 256) are not acceptable, DPA provides an option to specify a different provider and PBE system.  To do this, you must:

  • supply a provider that is compliant with the JCE API
  • supply a provider algorithm name, where the algorithm must be able to be used as both a secret key factory and a symmetric cipher

 

The remainder of this article describes the process to enable an alternate encryption system.

Configure alternate provider in DPA (not recommended)

It is possible to use the Bouncy Castle provider that is installed with DPA, but specify a PBE encryption scheme that is different than the defaults provided by DPA.  If, however, you need to add files within the DPA install directory structure, the files will be removed during an DPA upgrade. 

It is therefore strongly recommended to not use the default Java install that is shipped with DPA when employing an alternate encryption system. The reason is that several files may be added to the Java environment to enable the alternate system, and these files will not be retained after DPA is upgraded to a new version.

Configure DPA with alternate Java

To configure DPA to use a different Java install than is provided:

  1. Download and install Java 6 or 7 on the DPA server
  2. Open the {install directory}/iwc/tomcat/ignite_config/java_loc.txt file.
  3. Update the contents to point to the new install. For example: home/java/jdk160_30/bin/java

Install the encryption provider

If the desired provider is not the Bouncy Castle provider (which is included with DPA outside of the Java installation), the new provider must be installed as follows:

  1. Obtain the desired JCE provider as a signed jar file.
  2. Copy the JCE provider jar to the jre/lib/ext directory of the Java installation.
  3. Enable the provider by adding it to the java.security file:
    1. Open java.security located in jre/lib/security of the Java installation.

    2. Inside this file, add a line to the security provider section similar to the existing entries (security.provider.N= <provider> where N is the next available number).

    3. Save the file.

Install unrestricted policy files

A typical Java installation has a set of policy files that restrict the cryptographic key sizes that can be used (for most algorithms, the maximum size is 128 bits). If the desired encryption system requires key sizes that exceed the restricted length, a set of unrestricted policy files must be installed. SolarWinds does not provide these files with DPA. The files and instructions on how to install them can be found at: http://www.oracle.com/technetwork/java/javase/downloads/index.html

Enable custom encryption in DPA

The last step in the setup process is to enable the custom encryption system option in DPA. To do this, open the {install directory}/iwc/tomcat/ignite_config/idc/system.properties file and add the following line:

 

com.confio.ignite.security.encryption.allowCustomConfiguration=true

 

Save the file and restart DPA.

Use custom encryption in DPA

  1. Log in to DPA as an administrator.
  2. Click Options > Administration > Password Encryption Settings. You should see a new option called Custom. 
  3. Click the encryption scheme.
  4. Two lists display: one for the provider and another for the PBE algorithm name. Select the provider you installed. DPA lists all candidate PBE algorithms for the chosen provider. If the desired algorithm is not in the list, there is an entry in the list that allows you to specify the algorithm.
  5. Clicki Test Provider. The test requires a passphrase. The test consists of loading the provider and running encryption and decryption operations on a test message.
Last modified
19:13, 22 Jun 2016

Tags

Classifications

Public