Back to Contents

The fglpass tool

Topics

For security reasons, it is recommended that you avoid storing clear passwords in a file, or leave private keys unprotected without a password.

Using fglpass

The fglpass tool, provided as part of the Genero Web Services (GWS), allows you to:

Syntax: 

  fglpass [-options]

Command Line Options:

 Command   Description
-V Display version information
-Vssl Display SSL version
-h Display this help
-e Encrypt the password with a RSA key or certificate and encode it in BASE64 form
-d Decode the BASE64 form of the password and decrypt it with a RSA private key
-w cert Windows certificate name to encrypt the password (Windows only)
-c cert File of the PEM-encoded certificate to encrypt the password
-k key File of the PEM-encoded private key to encrypt or decrypt the password
-enc64 file File to be BASE64 encoded (result to stdout)
-dec64 file BASE64 encoded file to be decoded (result to stdout)
-agent:port files Start password agent on specified port to serve the list of private key files

Back to the top

Using the password agent

The fglpass tool can be started as an agent, to help any 4GL application who requires a password to grant access to a private key, by getting it without having to type it. You simply need to enter the password once for each private key at the agent startup, and then any 4GL application started on the same machine and with the same user name as the agent itself can get rid of entering the different passwords.

Of course, authentication and data encryption are performed between the 4GL application and the agent to guarantee passwords confidentiality, and the passwords are also stored encrypted in the agent memory.

To start the password agent at port number 4242 and to serve the 4GL applications with the passwords of the private key RSAKey1.pem and DSAKey2.der, you must specify option -agent, followed by a colon, followed by the port number where it will be reachable, followed by the list of private keys the agent will handle for all 4GL applications.

    fglpass -agent:4242 RSAKey1.pem DSAKey2.der
Then, the agent will ask you to silently enter the password of the different keys (the passwords are not displayed to the console when being typed). In this example, you have:
    Enter pass phrase for RSAKey1.pem:
Followed by: 
    Enter pass phrase for DSAKey2.der:
Next, once all keys have been treated, it displays following message to notify that the agent is ready to serve. 
    Agent started

Finally, to enable one 4GL application to use the password agent capability, you must set the entry called security.global.agent in the FGLPROFILE file with the port number of the agent.

In our example, with value 4242: 

    security.global.agent = "4242"

Back to the top

Encrypting a password

The fglpass tool can encrypt a password using an RSA key or certificate, and then encode it in BASE64 form. This allows you to easily add a protected password in the FGLPROFILE file for future use by any 4GL application.

To encrypt a password from an RSA key and encoded in BASE64, enter:

    fglpass -e -k RSAPub.pem
You are prompted to enter the password you want to encrypt. 
    Enter password :hello

The fglpass tool outputs the BASE64 form of the encrypted password on the console. 

    BASE64 BEGIN
    Pzk/fNRhetdJDZz5kjNg7P0XET4XsW6bys/fi0DvugxRPh9d/s41oAws65JY0EPb2zytQjxZ/dwaaRzJPYoQmA==
    BASE64 END
Note: The BASE64 encrypted password is the string between the BASE64 BEGIN and BASE64 END.

Back to the top

Decrypting a password

The fglpass tool can decrypt a BASE64 encoded and encrypted password using the RSA private key that was used to encrypt it or that is associated to a certificate containing the public part of that private key.

To decrypt a BASE64 encoded and encrypted password from a RSA private key, enter:

    fglpass -d -k RSAPriv.pem
Then, if the RSA key is protected with a password, you are asked to silently enter that password (the password is not displayed to the console when being typed).
    Enter pass phrase for RSAPriv.pem:
Next, you are prompted to enter the BASE64 encoded and encrypted password you want to decrypt. 
    Enter password :Pzk/fNRhetdJDZz5kjNg7P0XET4XsW6bys/fi0DvugxRPh9d/s41oAws65JY0EPb2zytQjxZ/dwaaRzJPYoQmA==

The fglpass tool outputs the password in clear text on the console. 

    hello

Back to the top

Encoding a file in BASE64 form

The fglpass tool can encode a file in BASE64 form.

To encode the file MyFile in BASE64, enter:

    fglpass -enc64 MyFile
The fglpass tool outputs the BASE64 form of the file to the console. 
    BASE64 BEGIN
    c2VjdXJpdHkuZ2xvYmFsLmFnZW50ICAgICAgPSAiNDI0MiINCmNyeXB0by5pZDEua2V5ICAgICAgICAgICAgID0gIlJTQTEwMjRLZXkucGVtIg0KY3J5cHRv
    LmlkMi5rZXkgICAgICAgICAgICAgPSAiUlNBMjA0OEtleS5wZW0iDQpjcnlwdG8uaWQzLmtleSAgICAgICAgICAgICA9ICJEU0ExMDI0S2V5LnBlbSINCmNy
    eXB0by5pZDQua2V5ICAgICAgICAgICAgID0gIlJTQTUxMlByb3RlY3RlZC5wZW0iDQpjcnlwdG8uaWQ1LmtleSAgICAgICAgICAgICA9ICJEU0E1MTJSZWFs
    bHlQcm90ZWN0ZWQucGVtIg0K    
    BASE64 END
Notes:
  1. The BASE64 encoded file is the string between BASE64 BEGIN and BASE64 END.
  2. You can redirect the output of fglpass tool to a file. For example:
    fglpass -enc64 MyFile > Base64filename

Back to the top

Decoding a BASE64 form encoded file

The fglpass tool can decode a BASE64 encoded file.

To decode a file encoded in BASE64 form, enter:

    fglpass -dec64 Base64filename
The fglpass tool outputs the file in clear form on the console. 
    security.global.agent      = "4242"
    crypto.id1.key             = "RSA1024Key.pem"    crypto.id2.key = "RSA2048Key.pem" crypto.id3.key = "DSA1024Key.pem"
    crypto.id4.key             = "RSA512Protected.pem"
    crypto.id5.key             = "DSA512ReallyProtected.pem"
Notes:
  1. You don't have to remove the BASE64 BEGIN and BASE64 END tags, if they are present in the file, because the fglpass tool detects and removes them automatically.
  2. You can redirect the output of the fglpass tool to a file. For example:
    fglpass -dec64 Base64MyFile > MyFile2

Back to the top