Anyone know how to encrypt the dbconfig.xml password?

S_ Toyo July 29, 2019

I tried following this guide.... but we get stuck on step 2. https://confluence.atlassian.com/adminjira/advanced-encryption-972328643.html

 

Any guidance would be greatly appreciated!

38 answers

2 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 29, 2019

You can do it as follows for AES key which falls in FIPS 140.2

- Typing json argument in terminal is not a good idea (as it won't be visible to you). You can open any text editor and prepare json in that, (replace <PASSWORD> with your original password)

{"plainTextPassword":"<PASSWORD>", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES"}

- Move to Jira Installation directory

$ cd /<jira_installation_directory>/bin

- Write this java command,

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

- If everything works fine in above command it will prompt you with text "Enter Password:", now copy whole text from your editor (json) that you created and paste it in terminal. It is will not show you anything in terminal but content is there. You just need to hit <return> key and your password related files will be generated

- You can use following command to confirm, it will show you recently generated files directory in the end

$ ls -lrt

- If you are not comfortable with pasting content in terminal and not seeing it, you can pass your json as parameter to above command also.

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher -p <YOUR_FULL_JSON_HERE>

- But if you are using this method make sure you remove this command from your terminal/shell history

I hope this helps. Also note that this feature was made available after Jira 8.0. This won't work if you are using earlier version of Jira.

1 vote
Christopher Gronde August 19, 2019

I forgot to add the password cipher line to the dbconfig.  Now it no longer gives me errors but it acts as if it's a new install and wants me to set up a new DB

1 vote
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 19, 2019

@Christopher Gronde 

There is dbconfig.xml file inside you Jira Home directory. And it contains

<password>your_plan_text_password</password>

You need to replace this with JSON Object that points to your encrypted files location. Something like this

<password>{"sealedObjectFilePath":"<safe_location>/javax.crypto.SealedObject_....", "keyFilePath":"<safe_location>/javax.crypto.spec.SecretKeySpec_...."}</password>

 

This will tell Jira where to look for encrypted password and what spec you used to encrypt your password.

1 vote
Christopher Gronde August 19, 2019

Yes, I get "enter password" which I then add the json object which gives me the three output files.  I put those files in a "safe place" and then make them read only.  I don't understand step 4 in https://confluence.atlassian.com/jiracore/advanced-encryption-975040999.html where I have to then add the encrypted password to dbconfig.xml.  I don't understand Replace the <password> tag with the output JSON object.  What output are they talking about?  How do I get that ouput?

1 vote
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 29, 2019

What we did,

- Created password related files at mentioned in STEP-1

- Moved all generated to filed to JIRA_USER home directory, and changed its mode to read only.

$ mv javax.crypto.SealedObject* /home/<jira_user>/.config/jira/.
$ mv javax.crypto.spec.SecretKeySpec /home/<jira_user>/.config/jira/.
$ chmod -R 0444 /home/<jira_user>/.config/jira/

- You can also keep java.security.AlgorithmParameters in this directory but it is not essential and only useful during password decryption, or other maintenance activities.

- Now we added path of these file to environment variable as mentioned in STEP-3

$ echo 'export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_spec_SecretKeySpec=/home/<jira_user>/.config/jira/javax.crypto.spec.SecretKeySpec_123456789' >> /home/<jira_user>/.bash_profile
$ echo 'export com_atlassian_db_config_password_ciphers_algorithm_javax_crypto_SealedObject=/home/<jira_user>/.config/jira/javax.crypto.SealedObject_123456789' >> /home/<jira_user>/.bash_profile

- Sourced these variable in Jira user account, and updated dbconfig.xml file in Jira home directory.

<atlassian-password-cipher-provider>com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher</atlassian-password-cipher-provider>
<password>{}</password>

- And restarted Jira.

In case you get error connecting to DB after restart make use environment variable exists.

0 votes
mariarosaria_cuomo_tisparkle_com April 2, 2021

Hi guys,

I tried  to insert the encrypted psw in my dbconfig.xml, but jira return in error .

I tried  both method , after to be created the psw encrypted (it is gone OK)
first I tried to add the instruction below in DBCONFIG.XML:
<password>{"sealedObjectFilePath":"/data_mount/atlassian/application-data/jira/javax.crypto.SealedObject_161728585xxxx", "keyFilePath":"/data_mount/atlassian/application-data/jira/javax.crypto.spec.SecretKeySpec_161728585xxxx"}</password> 

But jira's log return in error :
2021-04-02 12:42:31,453+0200 JIRA-Bootstrap INFO [c.a.j.config.database.SystemDatabaseConfigurationLoader] Reading database configuration from /data_mount/atlas
sian/application-data/jira/dbconfig.xml
2021-04-02 12:42:31,493+0200 JIRA-Bootstrap INFO [c.a.j.config.database.DatabaseConfigHandler] Trying to get encrypted password from xml and decrypt it
2021-04-02 12:42:31,494+0200 JIRA-Bootstrap INFO [c.a.j.config.database.DatabaseConfigHandler] Database password decryption not performed.

The second method I tried to add the file javax.crypto.spec.SecretKeySpec_161728585xxxx javax.crypto.SealedObject_161728585xxxx , in enviroment variables
But jira's log return in error : 

2021-04-02 13:15:22,770+0200 JIRA-Bootstrap INFO [c.a.j.config.database.SystemDatabaseConfigurationLoader] Reading database configuration from /data_mount/atlas
sian/application-data/jira/dbconfig.xml
2021-04-02 13:15:22,773+0200 JIRA-Bootstrap INFO [c.a.j.config.database.DatabaseConfigHandler] Trying to get encrypted password from xml and decrypt it
2021-04-02 13:15:22,776+0200 JIRA-Bootstrap ERROR [c.a.d.c.p.ciphers.algorithm.AlgorithmCipher] Runtime Exception thrown when decrypting: DecryptionParameters{s
ealedObjectFilePath='null', keyFilePath='null'}
java.lang.IllegalArgumentException: Missing file path for: javax.crypto.SealedObject

 

please help me to understand what's  wrong

0 votes
Mahalakshmi Vijjapu November 25, 2020

Hi ,

  I am asked to implement advanced encryption method with AES-GCM. I wanted to clarify is it possible using AES-GCM , since the documentation shows me only AESCBC.

Can anyone clarify if AES-GCM is possible for implementation?

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 18, 2019

@Christopher GrondeIf you have Java installed, you need to path of JAVA_HOME/bin to your PATH environment variable. You can look into this guide for help.

https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Portal/5.1/html/Installation_Guide/Pre_Requisites-Configuring_Your_Java_Environment.html

0 votes
Christopher Gronde October 18, 2019

RHEL 7 Linux

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 17, 2019

This implies that you don't have JAVA executable set in your terminal environment.

If you need help setting this value, do let me know what OS you are on (Windows or Linux).

0 votes
Christopher Gronde October 17, 2019

Hello?  Can anyone answer this for me?

0 votes
Christopher Gronde August 29, 2019

What happens if when I try to run the java command in the /bin directory that it tells me:

bash: java: command not found

0 votes
S_ Toyo August 19, 2019

@Christopher GrondeI was getting the EXACT same error where it was asking for a brand new DB install. It was totally weird. But I too finally figured it out. I just had to enter in the file path of the 2 files that it generated in the BIN folder. By placing C:\\Program Files\\Jira\\bin\\PATH OF FILES.

0 votes
Christopher Gronde August 19, 2019

ok it looks like I fat fingered the file location.  Everything is working now!  Thanks for the help!

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 19, 2019

Can please share log files and also what you added in dbconfig.xml file.

Also try reverse encryption process to verify that your files contains correct data.

0 votes
Christopher Gronde August 19, 2019

oh!  Got it!  I added that and the cypher line, but now when I start Jira it is acting as if it's a new installation and wants me to set up a new DB.

0 votes
S_ Toyo August 16, 2019

@Christopher GrondeAfter you enter in

java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

 Do you immediately get a "Enter Password" prompt? This is how you know that it worked correctly.

0 votes
Christopher Gronde August 16, 2019

I have step 1 and 2 done but steps 3 and 4 don't make any sense to me.  how do I get the output that goes into dbconfig

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 14, 2019

@S_ Toyo 

It seems Jira is not able to find file path mentioned in dbconfig.xml files.

{sealedObjectFilePath='javax.crypto.SealedObject_1565824481015', keyFilePath='javax.crypto.spec.SecretKeySpec_1565824480983'}

Where are these files in your system?

Please add full file path to these file, like I mentioned earlier.

{sealedObjectFilePath='/home/jira/javax.crypto.SealedObject_1565824481015', keyFilePath='/home/jira/javax.crypto.spec.SecretKeySpec_1565824480983'}

Like above if files exists in `/home/jira` directory. Also check if they readable to user who is assigned to run Jira. In your case `jira`.

0 votes
S_ Toyo August 14, 2019

@DPKJI pulled this from my jira log file.

 

 

2019-08-14 13:19:34,919 JIRA-Bootstrap INFO [c.a.j.c.cache.pauser.NonClusteredReplicationPauserManager] Non-clustered mode: ReplicationPauserManager implemented by NonClusteredReplicationPauserManager
2019-08-14 13:19:35,950 JIRA-Bootstrap INFO [c.a.j.config.database.SystemDatabaseConfigurationLoader] Reading database configuration from C:\Program Files\Atlassian\Application Data\JIRA\dbconfig.xml
2019-08-14 13:19:35,950 JIRA-Bootstrap INFO [c.a.j.config.database.DatabaseConfigHandler] Trying to get encrypted password from xml and decrypt it
2019-08-14 13:19:35,950 JIRA-Bootstrap DEBUG [c.a.d.config.password.DefaultCipherProvider] Initiate cipher provider class: com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher
2019-08-14 13:19:35,950 JIRA-Bootstrap DEBUG [c.a.d.c.p.ciphers.algorithm.AlgorithmCipher] Initiate AlgorithmCipher
2019-08-14 13:19:35,950 JIRA-Bootstrap DEBUG [c.a.d.c.p.ciphers.algorithm.AlgorithmCipher] Decrypting data...
2019-08-14 13:19:35,950 JIRA-Bootstrap ERROR [c.a.d.c.p.c.algorithm.serialization.SerializationFile] Couldn't read file needed for encryption/decryption. Tried to read file under: javax.crypto.SealedObject_1565824481015
java.io.FileNotFoundException: javax.crypto.SealedObject_1565824481015 (The system cannot find the file specified)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at com.atlassian.db.config.password.ciphers.algorithm.serialization.SerializationFile.read(SerializationFile.java:31)
at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:141)
at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:133)
at com.atlassian.jira.config.database.JdbcDatasource.lambda$parse$0(JdbcDatasource.java:389)
at java.util.Optional.map(Optional.java:215)
at com.atlassian.jira.config.database.JdbcDatasource.parse(JdbcDatasource.java:389)
at com.atlassian.jira.config.database.DatabaseConfigHandler.parseDatasource(DatabaseConfigHandler.java:62)
at com.atlassian.jira.config.database.DatabaseConfigHandler.parse(DatabaseConfigHandler.java:33)
at com.atlassian.jira.config.database.AbstractJiraHomeDatabaseConfigurationLoader.loadDatabaseConfiguration(AbstractJiraHomeDatabaseConfigurationLoader.java:51)
at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.getDatabaseConfiguration(DatabaseConfigurationManagerImpl.java:180)
at com.atlassian.jira.startup.BootstrapContainerLauncher.bootstrapJIRAWhenDBIsNotSetup(BootstrapContainerLauncher.java:69)
at com.atlassian.jira.startup.BootstrapContainerLauncher.start(BootstrapContainerLauncher.java:43)
at com.atlassian.jira.startup.DefaultJiraLauncher.preDbLaunch(DefaultJiraLauncher.java:117)
at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$start$0(DefaultJiraLauncher.java:103)
at com.atlassian.jira.util.devspeed.JiraDevSpeedTimer.run(JiraDevSpeedTimer.java:31)
at com.atlassian.jira.startup.DefaultJiraLauncher.start(DefaultJiraLauncher.java:102)
at com.atlassian.jira.startup.LauncherContextListener.initSlowStuff(LauncherContextListener.java:154)
at java.lang.Thread.run(Thread.java:748)
2019-08-14 13:19:35,981 JIRA-Bootstrap ERROR [c.a.d.c.p.ciphers.algorithm.AlgorithmCipher] Runtime Exception thrown when decrypting: DecryptionParameters{sealedObjectFilePath='javax.crypto.SealedObject_1565824481015', keyFilePath='javax.crypto.spec.SecretKeySpec_1565824480983'}
java.lang.RuntimeException: java.io.FileNotFoundException: javax.crypto.SealedObject_1565824481015 (The system cannot find the file specified)
at com.atlassian.db.config.password.ciphers.algorithm.serialization.SerializationFile.read(SerializationFile.java:39)
at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:141)
at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.decrypt(AlgorithmCipher.java:133)
at com.atlassian.jira.config.database.JdbcDatasource.lambda$parse$0(JdbcDatasource.java:389)
at java.util.Optional.map(Optional.java:215)
at com.atlassian.jira.config.database.JdbcDatasource.parse(JdbcDatasource.java:389)
at com.atlassian.jira.config.database.DatabaseConfigHandler.parseDatasource(DatabaseConfigHandler.java:62)
at com.atlassian.jira.config.database.DatabaseConfigHandler.parse(DatabaseConfigHandler.java:33)
at com.atlassian.jira.config.database.AbstractJiraHomeDatabaseConfigurationLoader.loadDatabaseConfiguration(AbstractJiraHomeDatabaseConfigurationLoader.java:51)
at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.getDatabaseConfiguration(DatabaseConfigurationManagerImpl.java:180)
at com.atlassian.jira.startup.BootstrapContainerLauncher.bootstrapJIRAWhenDBIsNotSetup(BootstrapContainerLauncher.java:69)
at com.atlassian.jira.startup.BootstrapContainerLauncher.start(BootstrapContainerLauncher.java:43)
at com.atlassian.jira.startup.DefaultJiraLauncher.preDbLaunch(DefaultJiraLauncher.java:117)
at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$start$0(DefaultJiraLauncher.java:103)
at com.atlassian.jira.util.devspeed.JiraDevSpeedTimer.run(JiraDevSpeedTimer.java:31)
at com.atlassian.jira.startup.DefaultJiraLauncher.start(DefaultJiraLauncher.java:102)
at com.atlassian.jira.startup.LauncherContextListener.initSlowStuff(LauncherContextListener.java:154)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.FileNotFoundException: javax.crypto.SealedObject_1565824481015 (The system cannot find the file specified)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)

0 votes
S_ Toyo August 12, 2019

@DPKJ thanks so much! I tried everything and it’s not working. :( it keeps thinking I have Jira CORE for some odd reason.... please let me know if I missed something. We need advanced encryption to meet our fedramp compliance. 

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 12, 2019

oh! @S_ Toyo I was using basic auth, but I will see in staging what happen when I go with Advance, give me day or two (I got busy in confluence update, lots of security issues in Atlassian updates these days).

0 votes
S_ Toyo August 12, 2019

@DPKJAny possible response to my previous reply? :(

0 votes
S_ Toyo August 2, 2019

@DPKJOkay so I tried to place the "Advanced encryption" into my dbconfig.xml file and just place a empty database to see if that would work. And I figure I would just load my data back in when I get to the dashboard.

 

I got a new page that I never seen before and somehow it things I hava JIRA CORE. When we have JIRA SOFTWARE. Does the Advanced Encryption not working with Jira SOFTWARE? When we revert back again to the BASIC ENCRYPTION we don't get this issue. We are taken straight to our JIRA SOFTWARE dashboard.

 

2019-08-02_14-49-23.png

0 votes
S_ Toyo July 31, 2019

@DPKJ we upgraded the jira 8.3. Encryption of the password works fine using the BASIC ENCRYPTION method. But since we need to meet FIPS 140.2 we need the ADVANCED ENCRYPTION a method. :(

Suggest an answer

Log in or Sign up to answer