The alfresco-global.properties file (and other subsystem properties file) holds configuration properties that contain sensitive information or passwords, such as db.password. All the properties that can be specified in Content Services under the alfresco-global.properties file can be encrypted.
Use this information to encrypt any property using the Alfresco Encrypted Properties Management Tool (version 6.3). This tool uses the RSA/ECB/PKCS1PADDING (key size 512) encryption algorithm by default but also supports the following algorithms:
- RSA/ECB/PKCS1Padding
- RSA/ECB/OAEPWithMD5AndMGF1Padding
- RSA/ECB/OAEPWithSHA-224AndMGF1Padding
- RSA/ECB/OAEPWithSHA-256AndMGF1Padding
- RSA/ECB/OAEPWithSHA-384AndMGF1Padding
- RSA/ECB/OAEPWithSHA-512AndMGF1Padding
- AES/CBC/PKCS5Padding
- AES/ECB/PKCS5Padding
- DESede/CBC/PKCS5Padding
- DESede/ECB/PKCS5Padding
Before encrypting properties using the Alfresco Encrypted Properties Management Tool, consider the following:
- Unless used in a legacy mode, values encrypted using version 6.3 of the Alfresco Encrypted Properties Management Tool are only supported on Alfresco Content Services and Alfresco Share 23.3 and later.
- This functionality is not related to Cryptographic password hashing.
- Boolean properties, number properties, and properties that contain expressions can’t be encrypted.
The values for some of the properties that may contain sensitive data (see the list below) is hidden from JMX whereas other values, including non-sensitive values are shown in JMX. The administrator can set new values for the security-sensitive properties in JMX but they can’t see the old value.
Here is the list of protected attributes (the value for these will be masked in the JMX console and Admin Console UI):
- alfresco_user_store.adminpassword
- db.password
- mail.password
- solr.solrPassword
- cryptodoc.jce.key.passwords
- cryptodoc.jce.keystore.password
- ldap.synchronization.java.naming.security.credentials