Encryption

All passwords in Welle are encrypted at rest.

Note

Read Database for more information regarding the 3 databases Welle connects to.

Change in Encryption Algorithm

If there is a change in encryption algorithm, you need to perform the following steps manually.

  1. Make use of the latest release of Welle Tools to generate encrypted password for Welle Configuration database.

    $ java -cp ./welle-tools-3.3.4.jar WelleEncryptor encrypt [password-in-clear]
    
  2. Replace encrypted password for WELLE_DB_PASSWORD in welle.properties. The properties file is located in /opt/tomcat/webapps/welle/WEB-INF/classes.

    # Welle Configuration Database Information
    # This will bootstrap all configuration required by Welle
    WELLE_DB_DRIVER=org.mariadb.jdbc.Driver
    WELLE_DB_URL=jdbc:mariadb://192.168.200.105:3306/welle_config
    WELLE_DB_USERNAME=welle
    WELLE_DB_PASSWORD=qtRLxdf4GnioTo4QokiY+KN8fpklhuo4pPqsdIBqqKI=
    WELLE_DB_POOL=5
    
  3. Connect to Welle Configuration database by using a SQL client. e.g. DBeaver - a free multi-platform database tool.

  • Retrieve the encryption key by issuing the following SQL statement:
SELECT config_value FROM configurations WHERE config_key="ENCRYPTION_KEY";
  1. Make use of the latest release of Welle Tools to generate encrypted passwords for IDM, Attestation and Attestation Archive databases .

    $ java -cp ./welle-tools-3.3.4.jar WelleEncryptor encrypt [password-in-clear] [encryption-key]
    
  • Replace encrypted passwords with the following SQL statements:
UPDATE ext_databases SET db_password="[encrypted-password]" WHERE db_type="IDM_DB";
UPDATE ext_databases SET db_password="[encrypted-password]" WHERE db_type="ATTESTATION_DB";
UPDATE ext_databases SET db_password="[encrypted-password]" WHERE db_type="ATTESTATION_ARCHIVE_DB";
UPDATE ext_databases SET db_password="[encrypted-password]" WHERE db_type="AUDIT_LOG_DB";
  1. Make use of the latest release of Welle Tools to generate encrypted password to connect to WrenIDM via REST calls.

    $ java -cp ./welle-tools-3.3.4.jar WelleEncryptor encrypt [password-in-clear] [encryption-key]
    
  • Replace encrypted password with the following SQL statement:
UPDATE configurations SET config_value="[encrypted-password]" WHERE config_key="IDM_PWD";
  1. If Authentication Required is enabled for your Mail Server, make use of the latest release of Welle Tools to generate encrypted password.

    $ java -cp ./welle-tools-3.3.4.jar WelleEncryptor encrypt [password-in-clear] [encryption-key]
    
  • Replace encrypted password with the following SQL statement:
UPDATE configurations SET config_value="[encrypted-password]" WHERE config_key="MAIL_PASSWORD";
  1. Restart Tomcat to connect to Welle Configuration Database with the new encrypted password.

    # /etc/init.d/tomcat stop
    # /etc/init.d/tomcat start
    
  2. We’re good.

Change in Encryption Key

If there is a change in encryption key that is stored in Welle Configuration database, you need to perform the following step manually to replace all the encrypted passwords. This encryption key is required to encrypt and decrypt passwords stored in Welle Configuration database.

Note

Encryption Key must be 8 bytes long, which means 32 characters length.

You can change the encryption key with the following SQL statement:

UPDATE configurations SET config_value="[new-encryption-key]" WHERE config_key="ENCRYPTION_KEY";

You can then generate encrypted passwords with the following SQL statement:

$ java -cp ./welle-tools-3.3.4.jar WelleEncryptor encrypt [password-in-clear] [new-encryption-key]

With the new encrypted passwords, following the instructions from Step 4 to 7 in the last section.

Tip

The encryption key to decrypt WELLE_DB_PASSWORD in welle.properties is a different key.