• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

process to encrypt neo-datasource.xml

New Here ,
Jan 24, 2022 Jan 24, 2022

Copy link to clipboard

Copied

hi everyone, I need to know the process to encrypt the file {CF_DIR}/lib/neo-datasource.xml from CFAdmin or some script.

 

Thanks a lot.

Views

888

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Jan 26, 2022 Jan 26, 2022

@HugoA ,

 

Tell your security people the algorithm used is AES/CBC/PKCS5Padding.

 

The link that Charlie provides is useful. It will take you some way towards a solution. However, it contains a mistake or two.

 

1. The first occurrence of CreateObject("java",coldfusion.server.ServiceFactory") misses a quote. The author corrects it in the code that follows.

2.  The author uses generate3DesKey() as if it were an ordinary function in Adobe ColdFusion. It is a Lucee function, but is not a function i

...

Votes

Translate

Translate
Community Expert ,
Jan 24, 2022 Jan 24, 2022

Copy link to clipboard

Copied

Encrypt it for what purpose? That's a serious question.

 

Also, are you aware that any password in that or other neo xml files are already encrypted?


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 25, 2022 Jan 25, 2022

Copy link to clipboard

Copied

Thanks for reply me.

The security department makes an audit to my CF server and found that file and mark me like security error.

And we don´t have the password encrypted, do you know some method? (I´m gona google it).

 

Hugo A

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 25, 2022 Jan 25, 2022

Copy link to clipboard

Copied

Did they say WHY they marked it as a security error? Again, sincere (and important) question.

 

Far more important: when you say "we don't have the password encrypted", what do you mean, specifically? To be clear, if you're referring to the password defined by cf within a datasource (in the xml element of that file), that IS encrypted. There's no way it can NOT be. It wouldn't work (as a cf datasource) even if you MANUALLY put the plain text password into that password xml element that Cf defines.

 

On the other hand, if you're saying "I'm looking right at the password in clear text in that file", I would ask: are you sure that's not in the DESCRIPTION field for the dsn? If so, someone was simply mistaken to do that. 

 

Or might it be in the CONNECTIONSTRING field? Or the jdbcurl perhaps? Again, that should not be necessary. Store it in the password field instead. To try changing that, edit the dsn in the cf admin (rather than the xml, to avoid an easy mistake). The connection string is under the dsn's "advanced settings" button.

 

If you feel this last point is the problem but that solution doesn't work, tells us what db you're using, and show us the connection string or jdbcurl used, with any sensitive data masked out.

 

Bottom line: encrypting the xml file is not possible, and should not be needed. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 25, 2022 Jan 25, 2022

Copy link to clipboard

Copied

Reading your comments and googling found some advices (https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html).

 

We check it up the neo-datasource file and found the password is encryted, now we security department needs to know the algorithm used to encrypt the password.

 

Hugo A.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 25, 2022 Jan 25, 2022

Copy link to clipboard

Copied

Are you saying that the link you shared told you something new about the problem? I don't see it discusing either those neo xml files nor encryption (other than to indicate that there is indeed a field in the Admin used as the "seed" for encryption of such passwords).

 

To your question, Adobe does not document what the encryption algorithm is. I've never heard of a security dept asking for that info. Are you in a position to ask them why? If you are not, you can tell them that the process is not documented by Adobe. If they press, I will note that the info is offered at least buried within the code in a blog post here and involves using the seed and an encryption algorithm stored in a file in CF called seed.properties, then a particular use of the CF decrypt function, as well as a generate3DesKey function, etc.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 26, 2022 Jan 26, 2022

Copy link to clipboard

Copied

@HugoA ,

 

Tell your security people the algorithm used is AES/CBC/PKCS5Padding.

 

The link that Charlie provides is useful. It will take you some way towards a solution. However, it contains a mistake or two.

 

1. The first occurrence of CreateObject("java",coldfusion.server.ServiceFactory") misses a quote. The author corrects it in the code that follows.

2.  The author uses generate3DesKey() as if it were an ordinary function in Adobe ColdFusion. It is a Lucee function, but is not a function in Adobe ColdFusion. At least not in recent versions. 

 

But there is good news. I will show how to gain access to the function.

 

The code you need is presented in two parts:

 

  • Dump all current datasources
    This code dumps the properties all the datasources configured in neo-datasources.xml
    <!--- Replace "yourPassword"  with your CF Admin password---> 
    <cfset createObject("component","CFIDE.adminapi.administrator").login("yourPassword")> 
    <cfset sf = createObject("java", "coldfusion.server.ServiceFactory")> 
    <!--- Dump the datasources --->
    <cfdump var="#sf.DataSourceService.getDatasources()#">
    
    <!--- Alternative code --->
    <!--- 
    <cfset createObject("component","CFIDE.adminapi.administrator").login("yourPassword")>
    <!--- Instantiate the data source object --->
     <cfset  datasourceObject = createObject("component","CFIDE.adminapi.datasource")>
    <!--- Dump the datasources --->
    <cfdump var="#datasourceObject.getDatasources()#">
    --->​


  • Obtain the password of a given datasource
    Copy the encrypted password of a given datasource from the dump to the code below
    <!--- Get from the dump the encrypted password of one of the datasources. Use your own. --->
    <cfset encryptedPassword = "XDT5sdkIw1OiCdzj/F2WEvBi6RKBZE/Uz5S+Jx8Gq7w=">
    
    <!--- Get the seed and the algorithm from the file /lib/seed.properties. Use your own. --->
    <cfset seed = "655630C7A3C5BA3E">
    <cfset encryptionAlgorithm = "AES/CBC/PKCS5Padding">
    
    <!--- Use the CFPage class to gain access to the function generate3DesKey --->
    <cfset pageObject = createobject("java","coldfusion.runtime.CFPage")>
    <cfset encryptionKey = pageObject.generate3DesKey(seed)>
    
    
    <cfset decryptedPassword = Decrypt(encryptedPassword, encryptionKey, encryptionAlgorithm, "base64")>
    
    Decrypted datasource password: <cfoutput>#decryptedPassword#</cfoutput>​

     

 

 

 

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 26, 2022 Jan 26, 2022

Copy link to clipboard

Copied

BKBK, while you're right that the function is not DOCUMENTED, it DOES in fact work as a built-in function in CFML. As such, you don't need the call to Java to get it.

 

I suspect that you didn't try it, but just looked for it in the docs, and found it only in Lucee docs. I can confirm that is so (more in a moment on fixing that). You may even have tried to view it in the CF getfunctionlist function result. I confirm also it's not there.

 

But the function DOES indeed work, and in each CF release I tried from CF2021 back to CF10. Here's a simple demo:

<cfdump var="#generate3DesKey("123")#">

 

Also, I have just created a tracker ticket pointing all this out:

https://tracker.adobe.com/#/view/CF-4212709

If either of you (or other readers) may want to add votes there, to get Adobe to address this. (They may not care to expose the process of decrypting passwords, but the function clearly is of more generic value than that specific use.)

 

Finally, while that site's code and BKBK's above focuses on using CF admin api function to obtain passwords, you can also just use the password as you find it in any of the various neo xml files, to decrypt them.  One just needs that, and such code as that with that function, and the seed for that server, and the algorithm indicated in that seed.properties file. As such, it of course makes that seed.properties file and those neo xml files important to secure.

 

But back to the original question, there's no way to encrypt them. But if someone has access to files on your server, you're already in trouble. See the CF Lockdown Guide (and optionally the auto lockdown tool introduced in CF2018) for more on securing those files (and other CF files) beyodn the default configuration.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 26, 2022 Jan 26, 2022

Copy link to clipboard

Copied

quote

BKBK, while you're right that the function is not DOCUMENTED, it DOES in fact work as a built-in function in CFML. As such, you don't need the call to Java to get it.

 

I suspect that you didn't try it, but just looked for it in the docs, and found it only in Lucee docs. I can confirm that is so (more in a moment on fixing that). You may even have tried to view it in the CF getfunctionlist function result. I confirm also it's not there.

 

But the function DOES indeed work, and in each CF release I tried from CF2021 back to CF10. Here's a simple demo:

<cfdump var="#generate3DesKey("123")#">

 


By @Charlie Arehart

 

To respond to your points on generate3DesKey:

  1.  Yes, I tried it, to start with, and confirmed it works.
  2.  Yes, I looked into whether it is a documented ColdFusion function. I found it is a documented Lucee function, but not a documented Adobe ColdFusion function. It not being documented in Adobe ColdFusion means there are no guarantees when you use it outside the context of the class coldfusion.runtime.CFPage.
  3. No, I  did not try to view it using the CF getfunctionlist function. I simply went ahead after I found that it is a function of the runtime class, CFPage.

     

    Also, I have just created a tracker ticket pointing all this out:

    https://tracker.adobe.com/#/view/CF-4212709

    If either of you (or other readers) may want to add votes there, to get Adobe to address this.
     


    Handy. I've voted.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 26, 2022 Jan 26, 2022

Copy link to clipboard

Copied

Thanks for your reply BKBK. Have you a official link? Security deparment needs it to mark like a checked.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 26, 2022 Jan 26, 2022

Copy link to clipboard

Copied

LATEST

Thanks for your reply BKBK. 


By @HugoA

My pleasure.

 

Have you a official link? Security deparment needs it to mark like a checked.


Give them the link to this thread. It is https://community.adobe.com/t5/coldfusion-discussions/process-to-encrypt-neo-datasource-xml/td-p/127...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation