PUBLIC - Liferay Portal Community Edition
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-33512

As a system administrator I can configure Liferay to use strong encryption to increase protection of the impersonate and remember me features

    Details

    • Type: Story Story
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 6.1.1 CE GA2, 6.1.20 EE GA2
    • Fix Version/s: 6.2.0 CE M5
    • Component/s: Security
    • Labels:
      None
    • Epic/Theme:
    • Similar Issues:
      Show 5 results 

      Description

      Default configuration of Liferay use insecure DES encryption with 56b key for Company private key.

      The goal of this story is to change the default configuration to a safe one: AES with 256b key.

      A part of the story is also an upgrade process for existing environments that didn't change the default configuration.

        Issue Links

          Activity

          Hide
          Justin Choi added a comment -

          Pending LPS-33565 and LPS-32928

          Show
          Justin Choi added a comment - Pending LPS-33565 and LPS-32928
          Hide
          Justin Choi added a comment -

          PASSED Manual Testing using the following steps:

          1. Start up the 6.1.1 CE GA2 bundle.
          – Sign In > flag Remember Me check box.
          2. Go to > Control Panel > Server Administration
          3. Go to the Properties tab.
          4. Search for passwords.encryption*. Check the Value field. It should be a PBKDF2 with a hash
          5. Search for company.encryption*. Check the Value field. It should be DEB.
          6. Upgrade to 6.2.
          –- Make sure that the portal-ext.properties has the proper upgrade paths.
          –- Make sure that the portal-ext.properties has the proper passwords.encryption.algorithm paths are correct.
          7. Verify that the upgrade process did not break, especially any database related errors.
          8. Sign In. (User must sign in again.)
          9. Search for passwords.encryption*. Check the Value field. It should be a PBKDF2 with a hash
          10. Search for company.encryption*. Check the Value field. It should be AES.

          Fixed on:
          Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 8f5fd08d8ec8bf208c5330483a7a77f3388420c8.

          Show
          Justin Choi added a comment - PASSED Manual Testing using the following steps: 1. Start up the 6.1.1 CE GA2 bundle. – Sign In > flag Remember Me check box. 2. Go to > Control Panel > Server Administration 3. Go to the Properties tab. 4. Search for passwords.encryption*. Check the Value field. It should be a PBKDF2 with a hash 5. Search for company.encryption*. Check the Value field. It should be DEB. 6. Upgrade to 6.2. –- Make sure that the portal-ext.properties has the proper upgrade paths. –- Make sure that the portal-ext.properties has the proper passwords.encryption.algorithm paths are correct. 7. Verify that the upgrade process did not break, especially any database related errors. 8. Sign In. (User must sign in again.) 9. Search for passwords.encryption*. Check the Value field. It should be a PBKDF2 with a hash 10. Search for company.encryption*. Check the Value field. It should be AES. Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 8f5fd08d8ec8bf208c5330483a7a77f3388420c8.

            People

            • Assignee:
              Justin Choi
              Reporter:
              Jorge Ferrer
              Recent user:
              Randy Zhu
              Participants of an Issue:
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Structure Helper Panel