Encrypted Datasource Password, Used by Docker Container

I’m setting up some quick-start docker containers for Slatwall, and I need
to pass an environment variable of the MySQL datasource password into a
config file for the application. At the end of the day I want to write a
file that has some thing like this in it:

this.datasources[“slatwall”] = {

class: ‘org.gjt.mm.mysql.Driver’

, connectionString:
‘jdbc:mysql://mysql:3306/slatwall?useUnicode=true&characterEncoding=UTF-8&useLegacyDatetimeCode=true’

, username: ‘root’

, password:
“encrypted:1d47b6a5394fffcde0d64f1526b24a03c83a6ae87b00fade88080ee5b08bf655d425196e9695d555”

};

During instantiation with docker-compose we have a file that looks like
this:

web:

build: slatwall/slatwall-lucee

ports:

  • “80:8080”

links:

  • db

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

db:

image: mysql

ports:

  • “3306:3306”

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

MYSQL_DATABASE : slatwall

As part of our entrypoint script we want to write the environment variable
of MYSQL_ROOT_PASSWORD on the slatwall/slatwall-lucee container into our
application config, but I need to know how to encrypt the plain text
password, into the encrypted format that Lucee can use.

Thoughts?

-Greg

I have been trying to do the same thing from my puppet deployments. I did
have a go at writing a ruby encoder following the java code in the source
but never got it to work as expected. As the algorithm is fixed and can be
decoded on any server using the secret key that is publicly available in
the source then it does not add much protection but it would stop me!

I have resorted to just entering the password into a local copy of lucee
and grabbing the encrypted string out that config file.

johnOn Tuesday, 15 September 2015 19:07:47 UTC+1, Greg Moser wrote:

I’m setting up some quick-start docker containers for Slatwall, and I need
to pass an environment variable of the MySQL datasource password into a
config file for the application. At the end of the day I want to write a
file that has some thing like this in it:

this.datasources[“slatwall”] = {

class: ‘org.gjt.mm.mysql.Driver’

, connectionString:
‘jdbc:mysql://mysql:3306/slatwall?useUnicode=true&characterEncoding=UTF-8&useLegacyDatetimeCode=true’

, username: ‘root’

, password:
“encrypted:1d47b6a5394fffcde0d64f1526b24a03c83a6ae87b00fade88080ee5b08bf655d425196e9695d555”

};

During instantiation with docker-compose we have a file that looks like
this:

web:

build: slatwall/slatwall-lucee

ports:

  • “80:8080”

links:

  • db

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

db:

image: mysql

ports:

  • “3306:3306”

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

MYSQL_DATABASE : slatwall

As part of our entrypoint script we want to write the environment variable
of MYSQL_ROOT_PASSWORD on the slatwall/slatwall-lucee container into our
application config, but I need to know how to encrypt the plain text
password, into the encrypted format that Lucee can use.

Thoughts?

-Greg

Randomly generate the password, set the password then inject it into the
config file.

date +%s | sha256sum | base64 | head -c 32 ; echo >> /tmp/MYpasswordfile

where [option] would be the header of the config line you need to change.

  • sed ‘/[option]/a /tmp/MYpasswordFile’ input

rm -rf /tmp/MYpasswordFile

Hi Terry,

That would set the database access password to a random(ish) string. Not
sure that helps.

What I want is to take a known database password. Encrypt it using the
algorithm that Lucee uses for storing it in the config file and then insert
that into the config file.

Ideally a cli type tool would allow me to generate that somehow.

johnOn Friday, 18 September 2015 17:18:47 UTC+1, Terry Whitney wrote:

Randomly generate the password, set the password then inject it into the
config file.

date +%s | sha256sum | base64 | head -c 32 ; echo >> /tmp/MYpasswordfile

where [option] would be the header of the config line you need to change.

  • sed ‘/[option]/a /tmp/MYpasswordFile’ input

rm -rf /tmp/MYpasswordFile

If you already have the target system, and know the password then why not
just distribute the configuration files with your application?On Tuesday, September 15, 2015 at 2:07:47 PM UTC-4, Greg Moser wrote:

I’m setting up some quick-start docker containers for Slatwall, and I need
to pass an environment variable of the MySQL datasource password into a
config file for the application. At the end of the day I want to write a
file that has some thing like this in it:

this.datasources[“slatwall”] = {

class: ‘org.gjt.mm.mysql.Driver’

, connectionString:
‘jdbc:mysql://mysql:3306/slatwall?useUnicode=true&characterEncoding=UTF-8&useLegacyDatetimeCode=true’

, username: ‘root’

, password:
“encrypted:1d47b6a5394fffcde0d64f1526b24a03c83a6ae87b00fade88080ee5b08bf655d425196e9695d555”

};

During instantiation with docker-compose we have a file that looks like
this:

web:

build: slatwall/slatwall-lucee

ports:

  • “80:8080”

links:

  • db

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

db:

image: mysql

ports:

  • “3306:3306”

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

MYSQL_DATABASE : slatwall

As part of our entrypoint script we want to write the environment variable
of MYSQL_ROOT_PASSWORD on the slatwall/slatwall-lucee container into our
application config, but I need to know how to encrypt the plain text
password, into the encrypted format that Lucee can use.

Thoughts?

-Greg

Well, keep in mind I am a Sysadmin first, so I think of shortest route
possible to result.

I would look at the lucee cfc’s that run the db configuration. A quick trip
down the source shows SALT mentioned a few times. You more than likely
could create an installer that calls a custom cfc that creates the DB
source for you, all the while running cfrexecute that adds the credentials
needed for a mysql user.On Tuesday, September 15, 2015 at 2:07:47 PM UTC-4, Greg Moser wrote:

I’m setting up some quick-start docker containers for Slatwall, and I need
to pass an environment variable of the MySQL datasource password into a
config file for the application. At the end of the day I want to write a
file that has some thing like this in it:

this.datasources[“slatwall”] = {

class: ‘org.gjt.mm.mysql.Driver’

, connectionString:
‘jdbc:mysql://mysql:3306/slatwall?useUnicode=true&characterEncoding=UTF-8&useLegacyDatetimeCode=true’

, username: ‘root’

, password:
“encrypted:1d47b6a5394fffcde0d64f1526b24a03c83a6ae87b00fade88080ee5b08bf655d425196e9695d555”

};

During instantiation with docker-compose we have a file that looks like
this:

web:

build: slatwall/slatwall-lucee

ports:

  • “80:8080”

links:

  • db

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

db:

image: mysql

ports:

  • “3306:3306”

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

MYSQL_DATABASE : slatwall

As part of our entrypoint script we want to write the environment variable
of MYSQL_ROOT_PASSWORD on the slatwall/slatwall-lucee container into our
application config, but I need to know how to encrypt the plain text
password, into the encrypted format that Lucee can use.

Thoughts?

-Greg

I would look at their github repository, namely the files that comprise of
the admin area.

You can do a search and you get pages of data.

Don’t you have to pass the mysql password as clear text from the compose
file for your mysql container? If so, just pass the datasource password in
clear text to lucee; it does not need to be encrypted.

For future reference, one way to deal with the password encryption in
Lucee/Railo is using Brad’s little utility:
https://github.com/bdw429s/RailoPasswordManagement

As an aside, I find the tutum/mysql container a little bit more useful than
the default as it allows you to set passwords, and create your database on
container creation all via ENV variables:
https://github.com/tutumcloud/mysql

Hope that helps,

– geoff
http://www.daemon.com.au/
twitter. @modiusOn Wednesday, 16 September 2015 04:07:47 UTC+10, Greg Moser wrote:

As part of our entrypoint script we want to write the environment variable
of MYSQL_ROOT_PASSWORD on the slatwall/slatwall-lucee container into our
application config, but I need to know how to encrypt the plain text
password, into the encrypted format that Lucee can use.

I would not want to mess with a configuration file, but you easily could
create read and write a file in a directory lucee has permissions for.

You could use cfexecute to run a bash script to read the environmental
variables and post those to a file.On Tuesday, September 15, 2015 at 2:07:47 PM UTC-4, Greg Moser wrote:

I’m setting up some quick-start docker containers for Slatwall, and I need
to pass an environment variable of the MySQL datasource password into a
config file for the application. At the end of the day I want to write a
file that has some thing like this in it:

this.datasources[“slatwall”] = {

class: ‘org.gjt.mm.mysql.Driver’

, connectionString:
‘jdbc:mysql://mysql:3306/slatwall?useUnicode=true&characterEncoding=UTF-8&useLegacyDatetimeCode=true’

, username: ‘root’

, password:
“encrypted:1d47b6a5394fffcde0d64f1526b24a03c83a6ae87b00fade88080ee5b08bf655d425196e9695d555”

};

During instantiation with docker-compose we have a file that looks like
this:

web:

build: slatwall/slatwall-lucee

ports:

  • “80:8080”

links:

  • db

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

db:

image: mysql

ports:

  • “3306:3306”

environment:

MYSQL_ROOT_PASSWORD : ChangeThis!

MYSQL_DATABASE : slatwall

As part of our entrypoint script we want to write the environment variable
of MYSQL_ROOT_PASSWORD on the slatwall/slatwall-lucee container into our
application config, but I need to know how to encrypt the plain text
password, into the encrypted format that Lucee can use.

Thoughts?

-Greg