We're updating the issue view to help you get more done. 

System Property Encryption is not cluster aware

Description

Steps to reproduce;

  1. One one node in an Openfire cluster, via the admin console (Server -> Server Manager -> System Properties) create a system property, e.g. "aaa.test-property", with a value. Select the "Encrypt the property value", and click "Save Property"

  2. Note that the admin console indicates that the property value is hidden, and shows the padlock symbol indicating it is encrypted.

  3. Access the System Properties screen on another node in the same cluster.


Expected results;
The System Properties screen on other nodes in the cluster indicate that the property value is hidden, and shows the padlock symbol indicating it is encrypted.

Actual results;
The System Properties screen on other nodes in the cluster display the plain text value of the property, and do not indicate that it is encrypted.

Note 1; the same behaviour is seen if the property is created in plain text and subsequently encryption using the "+" button.
Note 2; if the "other" nodes are restarted after the property is encrypted, the encrypted value of the property is shown.

A quick analysis shows that the "this field is encrypted" flag is stored in a file, conf/security.xml, rather than the database. This is probably sub-optimal as the contents of this file needs to be replicated across all current and future member clusters.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Greg Thomas
July 22, 2016, 10:02 AM

At the moment, this issue isn't directly affecting me, but it may do so in the future. As such, when there's space clear in front of me, I may be able to look at a fix.

I'd propose adding a new ciolumn to the ofproperty table, encrypted BIT(1) NOT NULL default 0 and use that to determine if it's encrypted or not, rather than an entry in conf/security.xml

Is that an appropriate approach, or can someone else recommend a better one?

The only issue I see is that I'll have trouble checking the required DB upgrade scripts for DB2 / Oracle / Sybase.

Greg Thomas
October 5, 2016, 10:29 AM

Any thoughts on the above suggestion? I'm happy to submit a patch, so long as it's the right way to progress ...

Greg Thomas
July 19, 2017, 3:58 PM

In case anyone is interested, https://github.com/igniterealtime/Openfire/pull/797 implements a solution to this problem.

Daryl Herzmann
November 14, 2017, 5:10 PM

fix is in, resolving.

Assignee

Greg Thomas

Reporter

Daryl Herzmann

Labels

None

Expected Effort

None

Components

Fix versions

Affects versions

Priority

Major
Configure