web stats
DataBase Reader Password encryption. - Mirth Community

Go Back   Mirth Community > Mirth Connect > Support

Reply
 
Thread Tools Display Modes
  #1  
Old 04-26-2019, 02:40 AM
asaxena asaxena is offline
Mirth Newb
 
Join Date: Jun 2017
Posts: 16
asaxena is on a distinguished road
Default DataBase Reader Password encryption.

Hi Team,

I am using Database reader and connecting to Oracle DB, in Database setting option I entered the User name and Password.
But my concern is that, even the password is not visible but it is being stored in plain text in back end and if we extract the channel and open the channel details DB password is clearly visible, also Database setting is showing the character length of password.
After that I also try to connect DB with java script but facing the same problem there. Password security is top priority for my project and I have to find a approach to resolve it.
Is there any way we can encrypt the password or any other security feature which i can use to increase the password security.
if someone can help or guide me that would be really helpful for me.

Thanks in advance.
Reply With Quote
  #2  
Old 04-26-2019, 08:04 AM
cory_cole cory_cole is offline
Mirth Guru
 
Join Date: Mar 2012
Posts: 1,318
cory_cole is on a distinguished road
Default

I pointed this out to Mirth years ago. We had the console. They suggested then that we store the password on the console, then call the variable for the password.

It is worse than that. If you chose use javascript for your login, it will have the password right there in text.
Reply With Quote
  #3  
Old 04-26-2019, 04:16 PM
agermano agermano is offline
Mirth Guru
 
Join Date: Apr 2017
Location: Indiana, USA
Posts: 1,033
agermano is on a distinguished road
Default

Put your credentials in the configurationMap and reference the map variables from your channel.

The configurationMap is part of the velocity context, so you can use a velocity replacement token like ${mySecretPass} in your db reader instead of the actual string. It will mask out the velocity token like a real password, but it will still work.

Last edited by agermano; 04-26-2019 at 04:19 PM.
Reply With Quote
  #4  
Old 05-01-2019, 11:05 PM
asaxena asaxena is offline
Mirth Newb
 
Join Date: Jun 2017
Posts: 16
asaxena is on a distinguished road
Default

@cory_cole, thanks for the reply, I am also not sure what approach should I follow now, I couldn't find anything solid for this.

@agermano thanks for explaining this, so far I understand from your reply is that you want me store the password in configuration Map and then using that configuration map variable I will call the password in run time and use it. But as I can see that what ever we store in configuration Map it is visible, there is no encryption. Please correct me if I didn't understand what you explained.
Reply With Quote
  #5  
Old 05-02-2019, 07:34 AM
cory_cole cory_cole is offline
Mirth Guru
 
Join Date: Mar 2012
Posts: 1,318
cory_cole is on a distinguished road
Default

Store the password in a file on a secure server. Create a global script that will read that file and store the password into a global map. Then reference the password from the map.
Reply With Quote
  #6  
Old 05-02-2019, 04:22 PM
agermano agermano is offline
Mirth Guru
 
Join Date: Apr 2017
Location: Indiana, USA
Posts: 1,033
agermano is on a distinguished road
Default

You were correct. The password is still visible in the configurationMap settings, but it does remove it from the channel configuration so that it will not be in plain text in the export.

This is not the same situation, but illustrates some of the same problems as with what you are asking.
http://www.mirthcorp.com/community/f...ght=encryption

If you store the passwords on a secure server elsewhere and retrieve them, you have the same problem storing the password for the secure server somewhere in mirth. Also anyone that has access to create or edit a channel has the ability to write out map variables (configuration or global) in clear text.

Here's a somewhat related open ticket http://www.mirthcorp.com/community/i...owse/MIRTH-762

There is an option to encrypt the entire channel on export (not just the password field,) but as the ticket shows, it would still be unencrypted in the database at this time (and thus accessible.) The encrypt on export is also to protect your exports, not prevent people from exporting in clear text, because the encryption happens client side, and you could easily bypass it using the REST API.

Even if this ticket is finally resolved, mirth will still need to be able to decrypt the password, and someone that has access to create or modify channels would be able to access the key.

Pretty much if someone has access to the channel in mirth, you can't prevent them from being able to get to the password. The best you can do is audit events to watch for people doing things they shouldn't do.

By storing in the configurationMap, you would be able to see if they retrieved the configurationMap entries, either by going to the settings page or using the REST API. I don't have the User Roles plugin, but this is likely also a page that could be restricted to certain users if you have it.

You would also be able to see if people are modifying channels, possibly in order to access information they shouldn't have. If you have the Channel History plugin, it will do the work for you to track all revisions by user even if they quickly change something and change it back.
Reply With Quote
Reply

Tags
database reader, oracle, password security, security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -8. The time now is 03:17 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Mirth Corporation