Password Manager module

Security and authentication Bundled: Extension

Edition CE

License

MLA, GPL

Issues

PSWDMNGR

Maven site

Password manager

Latest

3.0.0

The Password Manager module stores encrypted passwords and allows you to retrieve their plain text value programmatically. This is useful for connector modules that need to authenticate to third-party systems with a plain text password.

Once the password is stored, an AdminCentral user can’t see the password in plain text. The plain-text value can only be retrieved programmatically.

The module installs the Passwords app that centralizes the management of passwords in the administration of Magnolia. The passwords are stored in a dedicated workspace called keystore.

Installing with Maven

Maven is the easiest way to install the module. Add the following to your bundle:

<dependency>
  <groupId>info.magnolia.passwordmanager</groupId>
  <artifactId>magnolia-module-password-manager</artifactId>
  <version>3.0.0</version> (1)
</dependency>
1 Should you need to specify the module version, do it using <version>.

The keystore workspace

The passwords are stored in a dedicated workspace called keystore.

Password manager module

The mgnl:passwords node type

The module provides a specific node type for the passwords called mgnl:password.

Key pair values

Password Manager uses a dedicated key pair. The public key that’s used for decryption must be present in the configuration of password-manager-core.

Node name Value

📁 modules

     📁 password-manager-core

         ⬩ publicKey

<PUBLIC_KEY_VALUE>
If you are using docker, you must ensure that the new key pair file is mounted to an external volume. Otherwise the key pair is regenerated on the next deployment and the passwords won’t work.

If you create a new public instance, the public keys need to be synchronized. To synchronize them, you can publish them on the public instances or manually add them to the public instance config workspace.

Key pair generation

The key pair is also stored on the local file system in a file called magnolia-password-manager-keypair.properties by default. The path to this file is configured in the Magnolia property magnolia.password.manager.key.location. The file contains both the private and the public keys used to encrypt and decrypt passwords stored by the Password Manager.

A new file isn’t created on startup if the file containing both keys already exists.

If you want to change the Password Manager key pair:

  • Regenerate it in the Publishing Tools app. For more details, see Regenerating the key pair.

  • Generate it manually using the SecurityUtil.generateKeyPair() function and update it in the magnolia-password-manager-keypair.properties files and /modules/password-manager-core@publicKey. You can’t use externally generated keys for publicKey or privateKey.

    Click here for more details.

    1. In the magnolia.properties file, check the location of the password manager key pair file set in magnolia.password.manager.key.location.

    2. Go to your password manager key pair file and update the public and private key values in the file.

      To create a valid key pair for the magnolia-password-manager-keypair.properties file, you must use the SecurityUtil.generateKeyPair() function.

      1. In the Groovy app, run the following script:

        import info.magnolia.cms.security.SecurityUtil
import info.magnolia.cms.security.MgnlKeyPair

// Generate the key pair
MgnlKeyPair keyPair = SecurityUtil.generateKeyPair();

// The keys are already hex-encoded strings
String publicKeyHex = keyPair.getPublicKey();
String privateKeyHex = keyPair.getPrivateKey();

// Print the keys in the required format
println "publicKey=" + publicKeyHex
println "privateKey=" + privateKeyHex

      2. Copy the output and paste it into your magnolia-password-manager-keypair.properties file.
      The keys stored in the magnolia-password-manager-keypair.properties file are hex-encoded by byteArrayToHex() from info.magnolia.cms.security.SecurityUtil.

    3. Copy and paste the updated public key value from the file into the /modules/password-manager-core@publicKey property. Use the Configuration app to do so.

    4. Reenter any passwords in the Passwords app.

    5. Publish both the public key and the updated passwords to the public instances.

Bootstrapping

Content can be exported and imported for bootstrapping like any other workspace. However, the same encryption key must be used to decrypt the imported passwords as well as encrypt the export.

For security reasons, we don’t recommend bootstrapping password values.

Usage

See the Passwords app page.

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules