Tridion Tips: Decrypting broker database, Smart Target passwords – a possible security concern


TIP  1: Decrypting Broker database, Smart Target passwords 

The SDL Live documentation recommends to encrypt passwords in config files. Have a look at this link.
Lets start with the passwords stored on Storage config file: cd_storage_conf.xml . Below is a sample setting present for storing content inside broker database.

BThe above password can actually be decrypted and you can gain access to the database.  

Simply understand that never  CATCH  any Exceptions when writing programs to understand internal workings of a system. It is these Exceptions only that helps us understand the System.

This very basic notion, along with few other things, including the SDL’s live documentations, helped me  write a Decryption class for decrypting the passwords. Check the bottom of this post for a download link.

The below method works well to decrypt the passwords in smarttarget_conf.xml too.

Coming back to the topic, there are 2 cases possible.

CASE I:
The default Key Provider that comes with Tridion is used. Run the below command and you have the password

java -cp .;cd_core.jar Decryption K70u1f/uS+H9X3HAG4HHHg==

The Output will be:
PDEC_2

CASE II:
In case a custom Class is used to implement the Key Provider, the process remains same, the only change is that we  pass two command arguments: ClassName and the PasswordString to be decrypted.

java -cp .;cd_core.jar Decryption <CUSTOM_KEY_PROVIDER_CLASS_NAME> K70u1f/uS+H9X3HAG4HHHg==

Note that the file: cd_core.jar must be present in the directory from where you are executing the command. This JAR file can be found on any tridion based website’s /bin/lib directory. Also JAVA must be installed to run these commands.

 KeyIn most of the scenarios, it is usually the CASE I above, which is being implemented in any organization. Also, for case II to work, there is a catch – You must somehow know the Class name that implements the Key Provider.

Takeaways:
Use a custom Class to implement the Key Provider. This will make the password more stronger and difficult to decrypt. You may use obfuscation to secure the Class further.

 

TIP 2:  Auto content publishing in child publications, when publishing items from parent        publication

When an item is published from the parent publication there is an option to publish it from child publications as well. I guess, the below image says it all.

PublishChildPublications


Some Interesting Points: 
  1.  The Publishing Target must be same for the child publications as well to which the Parent item is being published.
  2. Even if the parent item is localized in child publications, they all get published,  provided they meet condition 1 above

TIP 3:  Standardize the type of  Content created in any Content Manager folder.

  1. Right click the folder and select properties.

    LS_1
  2. Select a Schema in the  LinkedSchema field. Also check the box: Mandatory.

LS_2
3.  Now, whenever you try to create a  Component in that folder, the Schema is implicitly set as the Linked Schema of the Content Manager folder. You will NOT be able to create Components  based on any other Schema. 

LS_3

Did you noticed something different in Image below ? Yeah… There is NO option displayed for selecting a Schema when we are creating a component.

This is because the Schema of this component is set implicitly to the Linked Schema property of the Content Manager folder we just edited.

LS_4

This helped us standardize the content creation by Editors. Means a Products folder was restricted to create Product Components only. Same way an article folder can only contain Article Schema based components.

That’s all on tips in today’s post. Do  comment and share a link to your own bag of tridion tips & tricks .

Hope you enjoyed this post. Suggestions and feedback are most welcome. 

Download here the Decryption class.


4 thoughts on “Tridion Tips: Decrypting broker database, Smart Target passwords – a possible security concern

  1. Great tips Nitesh. I tried all and found extremely helpful.

    BTW, the password decryption program you developed is a marvel. Never thought if this was possible.
    When are you publishing more of such Tridion Tips ?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s