Copy link to clipboard
Copied
hi everyone, I need to know the process to encrypt the file {CF_DIR}/lib/neo-datasource.xml from CFAdmin or some script.
Thanks a lot.
@HugoA ,
Tell your security people the algorithm used is AES/CBC/PKCS5Padding.
The link that Charlie provides is useful. It will take you some way towards a solution. However, it contains a mistake or two.
1. The first occurrence of CreateObject("java",coldfusion.server.ServiceFactory") misses a quote. The author corrects it in the code that follows.
2. The author uses generate3DesKey() as if it were an ordinary function in Adobe ColdFusion. It is a Lucee function, but is not a function i
...Copy link to clipboard
Copied
Encrypt it for what purpose? That's a serious question.
Also, are you aware that any password in that or other neo xml files are already encrypted?
Copy link to clipboard
Copied
Thanks for reply me.
The security department makes an audit to my CF server and found that file and mark me like security error.
And we don´t have the password encrypted, do you know some method? (I´m gona google it).
Hugo A
Copy link to clipboard
Copied
Did they say WHY they marked it as a security error? Again, sincere (and important) question.
Far more important: when you say "we don't have the password encrypted", what do you mean, specifically? To be clear, if you're referring to the password defined by cf within a datasource (in the xml element of that file), that IS encrypted. There's no way it can NOT be. It wouldn't work (as a cf datasource) even if you MANUALLY put the plain text password into that password xml element that Cf defines.
On the other hand, if you're saying "I'm looking right at the password in clear text in that file", I would ask: are you sure that's not in the DESCRIPTION field for the dsn? If so, someone was simply mistaken to do that.
Or might it be in the CONNECTIONSTRING field? Or the jdbcurl perhaps? Again, that should not be necessary. Store it in the password field instead. To try changing that, edit the dsn in the cf admin (rather than the xml, to avoid an easy mistake). The connection string is under the dsn's "advanced settings" button.
If you feel this last point is the problem but that solution doesn't work, tells us what db you're using, and show us the connection string or jdbcurl used, with any sensitive data masked out.
Bottom line: encrypting the xml file is not possible, and should not be needed.
Copy link to clipboard
Copied
Reading your comments and googling found some advices (https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html).
We check it up the neo-datasource file and found the password is encryted, now we security department needs to know the algorithm used to encrypt the password.
Hugo A.
Copy link to clipboard
Copied
Are you saying that the link you shared told you something new about the problem? I don't see it discusing either those neo xml files nor encryption (other than to indicate that there is indeed a field in the Admin used as the "seed" for encryption of such passwords).
To your question, Adobe does not document what the encryption algorithm is. I've never heard of a security dept asking for that info. Are you in a position to ask them why? If you are not, you can tell them that the process is not documented by Adobe. If they press, I will note that the info is offered at least buried within the code in a blog post here and involves using the seed and an encryption algorithm stored in a file in CF called seed.properties, then a particular use of the CF decrypt function, as well as a generate3DesKey function, etc.
Copy link to clipboard
Copied
@HugoA ,
Tell your security people the algorithm used is AES/CBC/PKCS5Padding.
The link that Charlie provides is useful. It will take you some way towards a solution. However, it contains a mistake or two.
1. The first occurrence of CreateObject("java",coldfusion.server.ServiceFactory") misses a quote. The author corrects it in the code that follows.
2. The author uses generate3DesKey() as if it were an ordinary function in Adobe ColdFusion. It is a Lucee function, but is not a function in Adobe ColdFusion. At least not in recent versions.
But there is good news. I will show how to gain access to the function.
The code you need is presented in two parts:
<!--- Replace "yourPassword" with your CF Admin password--->
<cfset createObject("component","CFIDE.adminapi.administrator").login("yourPassword")>
<cfset sf = createObject("java", "coldfusion.server.ServiceFactory")>
<!--- Dump the datasources --->
<cfdump var="#sf.DataSourceService.getDatasources()#">
<!--- Alternative code --->
<!---
<cfset createObject("component","CFIDE.adminapi.administrator").login("yourPassword")>
<!--- Instantiate the data source object --->
<cfset datasourceObject = createObject("component","CFIDE.adminapi.datasource")>
<!--- Dump the datasources --->
<cfdump var="#datasourceObject.getDatasources()#">
--->
<!--- Get from the dump the encrypted password of one of the datasources. Use your own. --->
<cfset encryptedPassword = "XDT5sdkIw1OiCdzj/F2WEvBi6RKBZE/Uz5S+Jx8Gq7w=">
<!--- Get the seed and the algorithm from the file /lib/seed.properties. Use your own. --->
<cfset seed = "655630C7A3C5BA3E">
<cfset encryptionAlgorithm = "AES/CBC/PKCS5Padding">
<!--- Use the CFPage class to gain access to the function generate3DesKey --->
<cfset pageObject = createobject("java","coldfusion.runtime.CFPage")>
<cfset encryptionKey = pageObject.generate3DesKey(seed)>
<cfset decryptedPassword = Decrypt(encryptedPassword, encryptionKey, encryptionAlgorithm, "base64")>
Decrypted datasource password: <cfoutput>#decryptedPassword#</cfoutput>
Copy link to clipboard
Copied
BKBK, while you're right that the function is not DOCUMENTED, it DOES in fact work as a built-in function in CFML. As such, you don't need the call to Java to get it.
I suspect that you didn't try it, but just looked for it in the docs, and found it only in Lucee docs. I can confirm that is so (more in a moment on fixing that). You may even have tried to view it in the CF getfunctionlist function result. I confirm also it's not there.
But the function DOES indeed work, and in each CF release I tried from CF2021 back to CF10. Here's a simple demo:
<cfdump var="#generate3DesKey("123")#">
Also, I have just created a tracker ticket pointing all this out:
https://tracker.adobe.com/#/view/CF-4212709
If either of you (or other readers) may want to add votes there, to get Adobe to address this. (They may not care to expose the process of decrypting passwords, but the function clearly is of more generic value than that specific use.)
Finally, while that site's code and BKBK's above focuses on using CF admin api function to obtain passwords, you can also just use the password as you find it in any of the various neo xml files, to decrypt them. One just needs that, and such code as that with that function, and the seed for that server, and the algorithm indicated in that seed.properties file. As such, it of course makes that seed.properties file and those neo xml files important to secure.
But back to the original question, there's no way to encrypt them. But if someone has access to files on your server, you're already in trouble. See the CF Lockdown Guide (and optionally the auto lockdown tool introduced in CF2018) for more on securing those files (and other CF files) beyodn the default configuration.
Copy link to clipboard
Copied
BKBK, while you're right that the function is not DOCUMENTED, it DOES in fact work as a built-in function in CFML. As such, you don't need the call to Java to get it.
I suspect that you didn't try it, but just looked for it in the docs, and found it only in Lucee docs. I can confirm that is so (more in a moment on fixing that). You may even have tried to view it in the CF getfunctionlist function result. I confirm also it's not there.
But the function DOES indeed work, and in each CF release I tried from CF2021 back to CF10. Here's a simple demo:
<cfdump var="#generate3DesKey("123")#">
By @Charlie Arehart
To respond to your points on generate3DesKey:
Also, I have just created a tracker ticket pointing all this out:
https://tracker.adobe.com/#/view/CF-4212709
If either of you (or other readers) may want to add votes there, to get Adobe to address this.
Copy link to clipboard
Copied
Thanks for your reply BKBK. Have you a official link? Security deparment needs it to mark like a checked.
Copy link to clipboard
Copied
Thanks for your reply BKBK.
By @HugoA
My pleasure.
Have you a official link? Security deparment needs it to mark like a checked.
Give them the link to this thread. It is https://community.adobe.com/t5/coldfusion-discussions/process-to-encrypt-neo-datasource-xml/td-p/127...