Back to Contents

Encrypt with fglpass tool

For security reasons, it is recommended that you avoid storing clear passwords in a file. The Genero Web Services enables the password encryption of a HTTP Authenticate entry in the FGLPROFILE file. The encrypted password is decrypted by the Genero Web Services engine when required.

Topics

• FglPass tool
• Encrypt a HTTP Authenticate password
• Encrypt a HTTP Authenticate password using a certificate in the Windows key store
• Use the password agent
• Encrypt a password
• Decrypt a password
• Encode a file in BASE64 form
• Decode a BASE64 form encoded file

FglPass tool

The Genero Web Services package provides a command line tool called fglpass. The fglpass tool can encrypt a password from a X.509 certificate or a RSA private key. The encrypted password is displayed on the console in a Base64 form, composed only of alphanumeric characters, and therefore easily usable in any text file.

See fglpass for more details.

Back to the top

Encrypt a HTTP Authenticate password

1. Find the HTTP Authenticate entry with the password you want to encrypt:

   authenticate.myentry.login    = "mylogin"
   authenticate.myentry.password = "mypassword"

2. Add the certificate and its private key in the FGLPROFILE file as follows:

   security.mykey.certificate = "MyCertificate.crt"
   security.mykey.privatekey  = "MyPrivateKey.pem"

3. Encrypt the password with fglpass:

   $ fglpass -c MyCertificate.crt
   Enter password :mypassword

   The fglpass output looks like the following:

   BASE64 BEGIN
   dBy3E5JCVxuoxsR+aOBVfp1j0SwQPt+hdjpMKriWvO2xMd5rFnFEwv+sPPd4w
   /onWviG0M5mqubBeS7QUlt/ZK0D1aO9/R5RVa5wylQu//6vxfyd8NG/
   SFJmlVH63kuyXfiVfq6bHo5+nlQZpVjSHfF2msET3S9HTpZUt4NblP4=
   BASE64 END

   Note: The encrypted password corresponds to the big suite of alphanumeric characters between BASE64 BEGIN and BASE64 END. The long line of text is wrapped for display purposes only.

4. Replace the clear password with the encrypted one, and specify the key used to encrypt it (mykey in our case):

   authenticate.myentry.login          = "mylogin"
   authenticate.myentry.password.mykey = "dBy3E5JCVxuoxsR+
   aOBVfp1j0SwQPt+hdjpMKriWvO2xMd5rFnFEwv+sPPd4w
   /onWviG0M5mqubBeS7QUlt/ZK0D1aO9/R5RVa5wylQu//6vxfyd8NG/
   SFJmlVH63kuyXfiVfq6bHo5+nlQZpVjSHfF2msET3S9HTpZUt4NblP4="

   Note: Do not forget to put quotes around the base64 form; otherwise the '=' character is interpreted during the loading of FGLPROFILE. The long line of text is wrapped for display purposes only.

Back to the top

Encrypt a HTTP Authenticate password using a certificate in the Windows key store

1. Find the HTTP Authenticate entry with the password you want to encrypt:

   authenticate.myentry.login    = "mylogin"
   authenticate.myentry.password = "mypassword"

2. Add the subject of the certificate registered in the Windows key store:

   security.mykey.subject = "Georges"

3. Encrypt the password with fglpass:

   $ fglpass -s Georges
   Enter password :mypassword

   The fglpass output looks like this:

   BASE64 BEGIN
   dBy3E5JCVxuoxsR+aOBVfp1j0SwQPt+hdjpMKriWvO2xMd5rFnFEwv+sPPd4w
   /onWviG0M5mqubBeS7QUlt/ZK0D1aO9/R5RVa5wylQu//6vxfyd8NG/
   SFJmlVH63kuyXfiVfq6bHo5+nlQZpVjSHfF2msET3S9HTpZUt4NblP4=
   BASE64 END

   Note: The encrypted password corresponds to the big suite of alphanumeric characters between BASE64 BEGIN and BASE64 END. The long line of text is wrapped for display purposes only.

4. Replace the clear password with the encrypted one, and specify the key used to encrypt it (mykey in our case):

   authenticate.myentry.login          = "mylogin"
   authenticate.myentry.password.mykey = "dBy3E5JCVxuoxsR+
   aOBVfp1j0SwQPt+hdjpMKriWvO2xMd5rFnFEwv+sPPd4w
   /onWviG0M5mqubBeS7QUlt/ZK0D1aO9/R5RVa5wylQu//6vxfyd8NG/
   SFJmlVH63kuyXfiVfq6bHo5+nlQZpVjSHfF2msET3S9HTpZUt4NblP4="

   Note: Do not forget to put quotes around the base64 form; otherwise the '=' character is interpreted during the loading of FGLPROFILE. The long line of text is wrapped for display purposes only.

Back to the top

Use the password agent

The fglpass tool can be started as an agent, to help any 4GL application who requires a password to grant access to a private key, by getting it without having to type it. You simply need to enter the password once for each private key at the agent startup, and then any 4GL application started on the same machine and with the same user name as the agent itself can get rid of entering the different passwords.

Of course, authentication and data encryption are performed between the 4GL application and the agent to guarantee passwords confidentiality, and the passwords are also stored encrypted in the agent memory.

1. To start the password agent at port number 4242 and to serve the 4GL applications with the passwords of the private key RSAKey1.pem and DSAKey2.der, specify the option -agent, followed by a colon, followed by the port number where it will be reachable, followed by the list of private keys the agent will handle for all 4GL applications.

   fglpass -agent:4242 RSAKey1.pem DSAKey2.der

2. The agent will ask you to silently enter the password of the different keys (the passwords are not displayed to the console when being typed). In this example, you have:

   Enter pass phrase for RSAKey1.pem:

   Followed by:

   Enter pass phrase for DSAKey2.der:

3. Once all keys have been treated, it displays following message to notify that the agent is ready to serve.

   Agent started

4. To enable one 4GL application to use the password agent capability, set the entry called security.global.agent in the FGLPROFILE file with the port number of the agent.

   In our example, with value 4242:

   security.global.agent = "4242"

Back to the top

Encrypt a password

The fglpass tool can encrypt a password using an RSA key or certificate, and then encode it in BASE64 form. This allows you to easily add a protected password in the FGLPROFILE file for future use by any 4GL application.

1. To encrypt a password from an RSA key and encoded in BASE64, enter:
   

   fglpass -e -k RSAPub.pem

You are prompted to enter the password you want to encrypt.

Enter password :hello

The fglpass tool outputs the BASE64 form of the encrypted password on the console.

BASE64 BEGIN
Pzk/fNRhetdJDZz5kjNg7P0XET4XsW6bys/fi0DvugxRPh9d/s41oAws65JY0EPb2zytQjxZ/dwaaRzJPYoQmA==
BASE64 END

Note: The BASE64 encrypted password is the string between the BASE64 BEGIN and BASE64 END.

Decrypt a password

The fglpass tool can decrypt a BASE64 encoded and encrypted password using the RSA private key that was used to encrypt it or that is associated to a certificate containing the public part of that private key.

1. To decrypt a BASE64 encoded and encrypted password from a RSA private key, enter:
   

   fglpass -d -k RSAPriv.pem

2. If the RSA key is protected with a password, you are asked to silently enter that password (the password is not displayed to the console when being typed).

   Enter pass phrase for RSAPriv.pem:

3. You are prompted to enter the BASE64 encoded and encrypted password you want to decrypt.

   Enter password :Pzk/fNRhetdJDZz5kjNg7P0XET4XsW6bys/fi0DvugxRPh9d/s41oAws65JY0EPb2zytQjxZ/dwaaRzJPYoQmA==

   The fglpass tool outputs the password in clear text on the console.

   hello
   

Back to the top

Encode a file in BASE64 form

The fglpass tool can encode a file in BASE64 form.

1. To encode the file MyFile in BASE64, enter:

   fglpass -enc64 MyFile

   The fglpass tool outputs the BASE64 form of the file to the console.

   BASE64 BEGIN
   c2VjdXJpdHkuZ2xvYmFsLmFnZW50ICAgICAgPSAiNDI0MiINCmNyeXB0by5pZDEua2V5ICAgICAgICAgICAgID0gIlJTQTEwMjRLZXkucGVtIg0KY3J5cHRv
   LmlkMi5rZXkgICAgICAgICAgICAgPSAiUlNBMjA0OEtleS5wZW0iDQpjcnlwdG8uaWQzLmtleSAgICAgICAgICAgICA9ICJEU0ExMDI0S2V5LnBlbSINCmNy
   eXB0by5pZDQua2V5ICAgICAgICAgICAgID0gIlJTQTUxMlByb3RlY3RlZC5wZW0iDQpjcnlwdG8uaWQ1LmtleSAgICAgICAgICAgICA9ICJEU0E1MTJSZWFs
   bHlQcm90ZWN0ZWQucGVtIg0K
   BASE64 END

   Notes:
   • The BASE64 encoded file is the string between BASE64 BEGIN and BASE64 END.
   • You can redirect the output of fglpass tool to a file. For example:

     fglpass -enc64 MyFile > Base64filename

Back to the top

Decode a BASE64 form encoded file

The fglpass tool can decode a BASE64 encoded file.

1. To decode a file encoded in BASE64 form, enter:
   

   fglpass -dec64 Base64filename

   The fglpass tool outputs the file in clear form on the console.

   security.global.agent      = "4242"
   crypto.id1.key             = "RSA1024Key.pem"
   crypto.id2.key             = "RSA2048Key.pem"
   crypto.id3.key             = "DSA1024Key.pem"
   crypto.id4.key             = "RSA512Protected.pem"
   crypto.id5.key             = "DSA512ReallyProtected.pem"

   Notes:
   • You don't have to remove the BASE64 BEGIN and BASE64 END tags, if they are present in the file, because the fglpass tool detects and removes them automatically.
   • You can redirect the output of the fglpass tool to a file. For example:

     fglpass -dec64 Base64MyFile > MyFile2

Back to the top