.. _ChapterEncryptedPassword: *************************** TLS and Password Encryption *************************** Description =========== Knomi TransactionDb provides tool to create an encrypted password from a symmetric key. TransactionDb rest server can be started in TLS mode and for that admin need to provide a server certificate. This server certificate might be created without a password or with a password. If this certificate is created with a password, there are options to provide the password in plain text or encrypted. aw_knomi_encrypt_password tool can be used to create the encrypted password from a symmetric key and plain password. Besides main output, the encrypted password, this tool also generates an initiation vector as an artifact. Later these initiation vector and same symmetric key need to be used together with the generated encrypted password, if admin choose to use encrypted password with the TLS certificate. Example ======= If eg_symmetric_key.txt have the symmetric key with base64 as follows: .. code-block:: JSON :caption: *Example symmetric key* :name: Example symmetric key mYq3t6w9z$C&F)J@NcRfUjWnZr4u7x!A%D*G-KaPdSgVkYp2s5v8y/B?E(H+MbQeThWmZq4t6w9z$C&F)J@NcRfUjXn2r5u8x!A%D*G-KaPdSgVkYp3s6v9y$B?E(H+MbQeThWmZq4t7w!z%C*F)J@NcRfUjXn2r5u8x/A?D(G+KaPdSgVkYp3s6v9y$B&E)H@McQfThWmZq4t7w!z%C*F-JaNdRgUkXn2r5u8x/A?D(G+KbPeShVmYq3s6v9y$B&E)H@McQfTjWnZr4u7w!z%C*F-JaNdRgUkXp2s5v8y/A?D(G+KbPeShVmYq3t6w9z$C&E)H@McQfTjWnZr4u7x!A%D*G-JaNdRgUkXp2s5v8y/B?E(H+MbPeShVmYq3t6w9z$C&F)J@NcRfTjWnZr4u7x!A%D*G-KaPdSgVkXp2s5v8y/B?E(H+MbQeThWmZq3t6w9z$C&F)J@NcRfUjXn2r5u7x!A%D*G-KaPdSgVkYp3s6v9y/B?E(H+MbQeTh The output might look like as follows: .. code-block:: JSON :caption: *sample run and output* :name: sample run and output $ ./aw_knomi_encrypt_password --password-encryption-key eg_symmetric_key.txt --password "abc123" password-encrypted=6yaSukaeQQ2yRv7m5qZZQA== password-decryption-iv=uaxG9nLvGqkU0za20RZkKQ== password-decryption-key=eg_symmetric_key.txt Output lines can be copied and pasted into the config file that is being used to start the server. The config file might then look like as follows: .. code-block:: JSON :caption: *sample config file after copying output of password encryption tool* :name: sample config file after copying output of password encryption tool host=localhost port=8090 db-host=www.testTransactionDb.com db-user=knomi db-pw=knomi db-name=knomi certificate= password-encrypted=6yaSukaeQQ2yRv7m5qZZQA== password-decryption-iv=uaxG9nLvGqkU0za20RZkKQ== password-decryption-key=eg_symmetric_key.txt Usage of aw_knomi_encrypt_password tool ======================================= In Linux: .. code-block:: JSON :caption: *Usage in linux* :name: Usage in linux ./aw_knomi_encrypt_password --password-encryption-key --password Using TLS certificate ===================== TLS certifates can be obtained from any known certificate authorities. **For testing purpose ONLY, integrators can use self signed certificate.** **mkcert** and **openssl** can be used to create self signed certificate with or without password. Linux ~~~~~ .. code-block:: JSON :caption: *get mkcert* :name: get mkcert wget -O mkcert https://github.com/FiloSottile/mkcert/releases/download/${VER}/mkcert-${VER}-linux-amd64 .. code-block:: JSON :caption: *enable execute permission* :name: enable execute permission chmod +x mkcert .. code-block:: JSON :caption: *install local certificate authority* :name: install local certificate authority mkcert -install .. code-block:: JSON :caption: *create private key and cert pem files* :name: create private key and cert pem files mkcert localhost 127.0.0.1 It might create e,g. following pem files, first one with private key inside it, and 2nd one having certificate inside it. .. code-block:: JSON :caption: *example generated pem files by mkcert* :name: example generated pem files by mkcert localhost+1-key.pem localhost+1.pem Copy at first the content of the key file and then the certificate file into a new file e.g. **localhost.pem**. Now **localhost.pem** file is ready to be used to start the rest server. If integrator wants to use TLS certificate with password, s\he can use **openssl** to achieve that. This following command will ask for password together with other option to provide various metadata. .. code-block:: JSON :caption: *run openssl from admin mode cmd* :name: run openssl from admin mode cmd openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 .. code-block:: JSON :caption: *example generated pem files by openssl* :name: example generated pem files by openssl key.pem cert.pem Copy at first the content of the key file and then the certificate file into a new file e.g. **localhost.enc.pem**. Now **localhost.enc.pem** file is ready to be used to start the rest server together with the password. If the integrator wants to create the certificate with IP of the server instead of localhost, integrator can create the following config file e.g. cert_config.txt .. code-block:: JSON :caption: *sample run and output* :name: sample run and output [req] default_bits = 4096 default_md = sha256 distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = MA L = some_city O = some_company OU = some_unit CN = [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] IP.1 = Then use this config file as in the following command. Now server can be accessed from another machine. .. code-block:: JSON :caption: *run openssl from admin mode cmd* :name: run openssl from admin mode cmd openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -config cert_config.txt