Setting hashed and salted password using EncodePassword
Progress Software recommends that you use the EncodePassword utility to generate encrypted passwords. You can add user accounts with hashed and salted passwords in the users.properties file.
EncodePassword is only available for REST Web applications developed in OpenEdge 11.4 or later releases.
If your REST Web application does not have EncodePassword, you must use the open source utility, Jacksum, to generate hashed and salted user passwords. For more information on Jacksum, see Setting hashed and salted passwords using Jacksum.
For more information on adding user accounts, see Adding and modifying a user. For more information on hash and salt, refer to the hash and salt cryptography references online.
To use the EncodePassword utility to implement hash and salt user passwords for the REST Web application, myApplication:
1. Execute the following to open the WEB-INF directory of the REST Web application, myApplication:
CD <dir>\Progress\OpenEdge\servers\tomcat\webapps\myApplication\WEB-INF\
2. Execute EncodePassword located in the REST Web application specifying the user name, newuser, which acts as a salt source and the desired password to be encrypted, newpassword:
The encoded password for the user, newuser, is Y9+iCjOORQoqoTWdRgjd/81Ms9w=
This example uses the sha algorithm to hash the newpassword string, and the newuser string as salt. You can use any of the popular hashing techniques, such as MD5, SHA256 and SHA512. And, you can use any string as salt in the encoding process.
The EncodePassword utility generates another password, 3e373837333620243f202b, using the OpenEdge encryption algorithm, oech1, for encrypting the shared password used between the OpenEdge REST Management Agent and the OpenEdge REST Web applications. For more information on where and how to use and encrypt a password, see Encrypting a password shared by REST Management Agent and REST Web application.
3. Open the security configuration file you chose in Choosing and applying a security configuration and uncomment the code snippet that implements password hashing in REST Web application.
For example, assume that you are using the Basic security configuration, appSecurity-basic-local.xml.
Do the following:
a. Navigate to and uncomment the code snippet in bold in appSecurity-basic-local.xml:
<authentication-manager id="RestApplicationtAuth"
<authentication-provider>
<!-- Uncomment to add strong password hashing in
users.properties
<password-encoder hash="sha" base64="true">
<salt-source user-property="username" />
</password-encoder>
In this example, you assigned the existing ROLE_PSCAdmin role to the user, newuser, and enabled newuser to work with the REST Management Agent.
Note: The users.properties file cannot store plain text and encoded passwords. Therefore, before adding a new user with an encoded password, you must ensure that all the other users have encoded passwords.