BugZero updated this defect 58 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
3/22/2024
Smart Assurance - Watch4net/M&R
No affected releases provided.
No fixed releases provided.
Watch4net APG 5: Switching to an encrypted password databaseHow to switch to encrypted password database in Watch4Net APG 5
For an improved security, it is possible to switch to an encrypted database password. In APG revisions later than 1957, it is possible to encrypt user password in database. To enable this feature, please follow these steps: Edit APG.xml and add digest="SHA1" in the Realm block. The resulting APG.xml should look like the following example: <Context> <Resource name="jdbc/APG-DB" auth="Container" type="javax.sql.DataSource" maxActive="100" maxIdle="30" maxWait="10000" username="apg" password="watch4net" driverClassName="com.mysql.jdbc.Driver" removeAbandoned="true" removeAbandonedTimeout="60" logAbandoned="true" url="jdbc:mysql://localhost:53306/apg?autoReconnect=true" /> <Realm className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="jdbc/APG-DB" localDataSource="true" userTable="user" userNameCol="username" userCredCol="password" userRoleTable="user" roleNameCol="rolename" digest="SHA1" /> </Context> Set the system property digest.algorithm to the selected algorithm (e.g. SHA1). On Windows, go to the Tomcat installation directory and run apgtomcatw.exe. You can add -Ddigest.algorithm="SHA1" in the command line argument field of the Java tab.On Unix, edit the apg-tomcat service file and add -Ddigest.algorithm="SHA1" to the JAVA_OPTS environnement variable. Encrypt the passwords in database in an irreversible way with the following query: UPDATE user SET password=SHA1(password);