Anyone know how to encrypt the dbconfig.xml password?

Viewing page 2 of 2

38 answers

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 31, 2019

@S_ Toyoit is time to get Atlassian Support guys in.

I will be updating one of installation in day or two, and will confirm you if same issue occurs. (it may be version specific).

0 votes
S_ Toyo July 31, 2019

@DPKJI decrypted the password following the CMD and JSON and it was the correct password. :(

0 votes
S_ Toyo July 31, 2019

@DPKJI will try that and confirm that it really is our password. And MAYBE that could be why when we try to restart JIRA it asks us to set it up all over again. I will try this today. :)

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 31, 2019

@S_ Toyohave you tried step "Decrypting the Password" to confirm that file generated have correct plaintext password in them.

0 votes
S_ Toyo July 31, 2019

@DPKJ @The two lines that it wanted us to place into our dbconfig.xml file looked a lot like this:

 

<atlassian-password-cipher-provider>com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher</atlassian-password-cipher-provider>
<password>{"sealedObjectFilePath":"/home/jira/javax.crypto.SealedObject_123456789","keyFilePath":"/home/jira/javax.crypto.spec.SecretKeySpec_123456789"}</password>

 

But as soon as I restarted Jira and tried to access the URL it asks me to set up jira all over again. Which I find odd. Am I missing a step? Can it not read the encrypted password in the XML file? When I revert it back to the visible password I can access my jira and my entire DB just fine. No setup again needed.  

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 30, 2019

This is unusual. I have couple of suggestions,

  • You can check if your Jira Home settings points to correct directory,
  • what did you pasted in dbconfig.xml file?
0 votes
S_ Toyo July 30, 2019

@DPKJOkay so we think we finally got it. And we copied + pasted the two lines into our DBCONFIG.xml file. We restarted Jira. We tried to launch our Jira URL and now it's asking us to setup our Jira all over again........

 

So we select "I'll set it up myself" option

 

Enter in all the Microsoft SQL server information but it gives us an error "You have specified a database that is not empty, please specify an empty database. If you want to upgrade an existing installation, "

 

 

This is something that we never had an issue with before..... what happened?!

0 votes
S_ Toyo July 30, 2019

@DPKJOk so I opened up Notepad++ and created a JSON file with the following

 

{"plainTextPassword":"<PASSWORD>", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES"}

 

I then moved that newly created JSON file to my directory

$ cd /<jira_installation_directory>/bin

 

I opened up CMD line and typed the following command

$ java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

 

And it did prompt me to enter in my password which I did and it said this:

2019-07-30 11:33:11,243 main DEBUG [db.config.password.DefaultCipherProvider] Initiate cipher provider class: com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher
2019-07-30 11:33:14,024 main DEBUG [password.ciphers.algorithm.AlgorithmCipher] Initiate AlgorithmCipher
2019-07-30 11:33:14,821 main DEBUG [password.ciphers.algorithm.AlgorithmCipher] Encrypting data...
Exception in thread "main" com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1 path $
at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:226)
at com.google.gson.Gson.fromJson(Gson.java:927)
at com.google.gson.Gson.fromJson(Gson.java:892)
at com.google.gson.Gson.fromJson(Gson.java:841)
at com.google.gson.Gson.fromJson(Gson.java:813)
at com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher.encrypt(AlgorithmCipher.java:105)
at com.atlassian.db.config.password.tools.CipherTool.lambda$getOutputData$0(CipherTool.java:50)
at java.util.Optional.map(Unknown Source)
at com.atlassian.db.config.password.tools.CipherTool.getOutputData(CipherTool.java:50)
at com.atlassian.db.config.password.tools.CipherTool.main(CipherTool.java:34)
Caused by: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1 path $
at com.google.gson.stream.JsonReader.beginObject(JsonReader.java:385)
at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:215)
... 9 more

 

 

I copied the whole entire text from my JSON file that I created and it said "The filename, directory name, or volume label syntax is incorrect."

0 votes
S_ Toyo July 30, 2019

@DPKJ Ah I see got it! We have to call out to the JSON txt file that we place in the bin directory. Ok that’s the confusion and part we were wondering about. Because we entered in the first CMD given in the guide and got lost from there. 

 

We will try this and let you know your results! Thanks so much. 

 

Btw, is there any way to encrypt the keystore password in the server.XML file as well? 

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 29, 2019

You can do it as follows for AES key which falls in FIPS 140.2

- Typing json argument in terminal is not a good idea (as it won't be visible to you). You can open any text editor and prepare json in that, (replace <PASSWORD> with your original password)

{"plainTextPassword":"<PASSWORD>", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES"}

- Move to Jira Installation directory.

$ cd /<jira_installation_directory>/bin

- Write this java command, make sure you have JAVA_HOME in path to execute java command

$ java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

 - If everything works fine in above command it will prompt you with text "Enter Password:", now copy whole text from your editor (json) that you created and paste it in terminal. It is will not show you anything in terminal but content is there. You just need to hit <return> key and your password related files will be generated.

- You can use following command to confirm, it will show you recently generated files directory in the end

$ ls -lrt

 

- If you are not comfortable with pasting content in terminal and not seeing it, you can pass your json as parameter to above command also.

$ java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher -p <YOUR_FULL_JSON_HERE>

- But if you are using this method make sure you remove this command from your terminal/shell history.

 

I hope this helps. Also note that this feature was made available after Jira 8.0. This won't work if you are using earlier version of Jira.

0 votes
DPKJ
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 29, 2019

You can do it as follows for AES key which falls in FIPS 140.2

- Typing json argument in terminal is not a good idea (as it won't be visible to you). You can open any text editor and prepare json in that, (replace <PASSWORD> with your original password)

{"plainTextPassword":"<PASSWORD>", "algorithm":"AES/CBC/PKCS5PADDING", "algorithmKey":"AES"}

- Move to Jira Installation directory.

$ cd /<jira_installation_directory>/bin

- Write this java command, make sure you have JAVA_HOME in path to execute java command

$ java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher

 - If everything works fine in above command it will prompt you with text "Enter Password:", now copy whole text from your editor (json) that you created and paste it in terminal. It is will not show you anything in terminal but content is there. You just need to hit <return> key and your password related files will be generated.

- You can use following command to confirm, it will show you recently generated files directory in the end

$ ls -lrt

 

- If you are not comfortable with pasting content in terminal and not seeing it, you can pass your json as parameter to above command also.

$ java -cp "./*" com.atlassian.db.config.password.tools.CipherTool -c com.atlassian.db.config.password.ciphers.algorithm.AlgorithmCipher -p <YOUR_FULL_JSON_HERE>

- But if you are using this method make sure you remove this command from your terminal/shell history.

 

I hope this helps. Also note that this feature was made available after Jira 8.0. This won't work if you are using earlier version of Jira.

0 votes
Optimizory Technologies
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
July 29, 2019

--

0 votes
S_ Toyo July 29, 2019

@DPKJ we need to make sure the encryption is FIPS 140.2. 

 

We followed the guide that I posted. We read through STEP 1 and the command they provided. But we are stuck at STEP 1 and the third step where it’s supposed to ask for the JSON commands. Are we doing something wrong? 

Suggest an answer

Log in or Sign up to answer