You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2019/04/03 10:53:50 UTC
[syncope] branch 2_0_X updated: Warning about short secretKey
values for AES
This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch 2_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/2_0_X by this push:
new ead58ee Warning about short secretKey values for AES
ead58ee is described below
commit ead58eec1055a7f29b5db6bb6ac39ab4e5806323
Author: Francesco Chicchiriccò <il...@apache.org>
AuthorDate: Wed Apr 3 12:53:11 2019 +0200
Warning about short secretKey values for AES
---
.../systemadministration/configurationparameters.adoc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
index 2afc18f..8867e05 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
@@ -25,6 +25,13 @@ barely invoking the REST layer through http://curl.haxx.se/[curl^]:
* `password.cipher.algorithm` - which cipher algorithm shall be used for encrypting password values; supported
algorithms include `SHA-1`, `SHA-256`, `SHA-512`, `AES`, `S-MD5`, `S-SHA-1`, `S-SHA-256`, `S-SHA-512` and `BCRYPT`;
salting options are available in the `security.properties` file;
+[WARNING]
+The value of the `secretKey` property in the `security.properties` file is used for AES-based encryption / decription.
+Besides password values, this is also used whenever reversible encryption is needed, throughout the whole system. +
+When the `secretKey` value has length less than 16, it is right-padded by random characters during startup, to reach
+such mininum value. +
+It is *strongly* recommended to provide a value long at least 16 characters, in order to avoid unexpected behaviors
+at runtime, expecially with high-availability.
* `jwt.lifetime.minutes` - validity of https://en.wikipedia.org/wiki/JSON_Web_Token[JSON Web Token^] values used for
<<rest-authentication-and-authorization,authentication>> (in minutes);
* `notificationjob.cronExpression` -