Password Manager module
Security and authentication Bundled: Community Edition
| Edition | CE | 
|---|---|
| License | |
| Issues | |
| Maven site | |
| Latest | 1.2.9 | 
The Password Manager module stores encrypted passwords and allows you to retrieve their plain text value programmatically. This is useful for connector modules that need to authenticate to third-party systems with a plain text password.
Once the password is stored, an AdminCentral user can’t see the password in plain text. The plain-text value can only be retrieved programmatically.
The module installs the Passwords app that centralizes the management of passwords in the administration of Magnolia.
The passwords are stored in a dedicated workspace called keystore.
Installing with Maven
Bundled modules are automatically installed for you.
If the module is unbundled, add the following to your bundle including your project’s <dependencyManagement> section and your webapp’s <dependencies> section.
If the module is unbundled but the parent POM manages the version, add the following to your webapp’s <dependencies> section.
<dependency>
  <groupId>info.magnolia.passwordmanager</groupId>
  <artifactId>magnolia-module-password-manager</artifactId>
  <version>1.2.9</version> (1)
</dependency>| 1 | Should you need to specify the module version, do it using <version>. | 
The mgnl:passwords node type
The module provides a specific node type for the passwords called mgnl:password.
Password Manager key pair
In Magnolia 6.2.44 and later, the Password Manager module key pair is no longer linked to the activation key pair.
When upgrading, you must add the magnolia.password.manager.key.location property to your magnolia.properties file.
This property enables the system to generate the key pair file for the Password Manager.
| A new file isn’t created on startup if the file containing both keys already exists. | 
The location of this file should typically be the same as the magnolia-activation-keypair.properties file, which stores key pairs for the publishing process.
The location must be both accessible by Magnolia and persisted.
If no file is present, the Password Manager can’t create passwords.
If the modules/password-manager-core@publicKey value isn’t present in the JCR, the Password Manager can’t decrypt passwords.
magnolia.password.manager.key.location=${magnolia.home}/WEB-INF/config/default/magnolia-password-manager-keypair.propertiesKey pair values
Password Manager uses a dedicated key pair.
The public key that’s used for decryption must be present in the configuration of password-manager-core.
| Node name | Value | 
|---|---|
| đ modules | |
| đ password-manager-core | |
| ⏩ publicKey | <PUBLIC_KEY_VALUE> | 
| If you are using docker, you must ensure that the new key pair file is mounted to an external volume. Otherwise the key pair is regenerated on the next deployment and the passwords won’t work. | 
If you create a new public instance, the public keys need to be synchronized.
To synchronize them, you can publish them on the public instances or manually add them to the public instance config workspace.
Key pair generation
The key pair is also stored on the local file system in a file called magnolia-password-manager-keypair.properties by default.
The path to this file is configured in the Magnolia property magnolia.password.manager.key.location.
The file contains both the private and the public keys used to encrypt and decrypt passwords stored by the Password Manager.
If you want to change the Password Manager key pair:
- 
In the magnolia.propertiesfile, check the location of the password manager key pair file set inmagnolia.password.manager.key.location.
- 
Go to your password manager key pair file and update the public and private key values in the file. The Password Manager doesnât provide a built-in mechanism for generating public and private keys. You can use commands like the ones below on Linux systems. OpenSSL key generationopenssl genrsa -out keypair.pem 2048 (1) openssl rsa -in keypair.pem -pubout -out publickey.crt (2) openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key (3)1 The genrsasubcommand in OpenSSL creates a public-private key pair. The size of the RSA key is given at the end in bits.2 Generates a PEM-formatted public key ( publickey.crt) from the RSA private key file (keypair.pem).3 Converts from OpenSSL/PKCS#1to the more widely supportedPKCS#8format.The specific method for key generation depends on your operating system. Alternatively, use an external tool. The keys stored in the magnolia-password-manager-keypair.propertiesfile are hex-encoded bybyteArrayToHex()frominfo.magnolia.cms.security.SecurityUtil.
- 
Copy and paste the updated public key value from the file into the /modules/password-manager-core@publicKeyproperty. Use the Configuration app to do so.
- 
Reenter any passwords in the Passwords app. 
- 
Publish both the public key and the updated passwords to the public instances. 
Bootstrapping
Content can be exported and imported for bootstrapping like any other workspace. However, the same encryption key must be used to decrypt the imported passwords as well as encrypt the export.
| For security reasons, we don’t recommend bootstrapping password values. | 
Usage
See the Passwords app page.
