Password Manager module

Security and authentication Bundled: Community Edition

Edition CE

License

MLA, GPL

Issues

Maven site

Latest

1.2.9

The Password Manager module stores encrypted passwords and allows you to retrieve their plain text value programmatically. This is useful for connector modules that need to authenticate to third-party systems with a plain text password.

Once the password is stored, an AdminCentral user can’t see the password in plain text. The plain-text value can only be retrieved programmatically.

The module installs the Passwords app that centralizes the management of passwords in the administration of Magnolia. The passwords are stored in a dedicated workspace called keystore.

Installing with Maven

Bundled modules are automatically installed for you.

If the module is unbundled, add the following to your bundle including your project’s <dependencyManagement> section and your webapp’s <dependencies> section. If the module is unbundled but the parent POM manages the version, add the following to your webapp’s <dependencies> section.

<dependency>
  <groupId>info.magnolia.passwordmanager</groupId>
  <artifactId>magnolia-module-password-manager</artifactId>
  <version>1.2.9</version> (1)
</dependency>
1 Should you need to specify the module version, do it using <version>.

The keystore workspace

The passwords are stored in a dedicated workspace called keystore.

Password manager module

The mgnl:passwords node type

The module provides a specific node type for the passwords called mgnl:password.

Password Manager key pair

In Magnolia 6.2.44 and later, the Password Manager module key pair is no longer linked to the activation key pair.

When upgrading, you must add the magnolia.password.manager.key.location property to your magnolia.properties file. This property enables the system to generate the key pair file for the Password Manager.

A new file isn’t created on startup if the file containing both keys already exists.

The location of this file should typically be the same as the magnolia-activation-keypair.properties file, which stores key pairs for the publishing process. The location must be both accessible by Magnolia and persisted. If no file is present, the Password Manager can’t create passwords. If the modules/password-manager-core@publicKey value isn’t present in the JCR, the Password Manager can’t decrypt passwords.

magnolia.properties
magnolia.password.manager.key.location=${magnolia.home}/WEB-INF/config/default/magnolia-password-manager-keypair.properties

Key pair values

Password Manager uses a dedicated key pair. The public key that’s used for decryption must be present in the configuration of password-manager-core.

Node name Value

📁 modules

     📁 password-manager-core

         ⬩ publicKey

<PUBLIC_KEY_VALUE>

If you are using docker, you must ensure that the new key pair file is mounted to an external volume. Otherwise the key pair is regenerated on the next deployment and the passwords won’t work.

If you create a new public instance, the public keys need to be synchronized. To synchronize them, you can publish them on the public instances or manually add them to the public instance config workspace.

Key pair generation

The key pair is also stored on the local file system in a file called magnolia-password-manager-keypair.properties by default.

The path to this file is configured in the Magnolia property magnolia.password.manager.key.location. The file contains both the private and the public keys used to encrypt and decrypt passwords stored by the Password Manager.

If you want to change the Password Manager key pair:

  1. In the magnolia.properties file, check the location of the password manager key pair file set in magnolia.password.manager.key.location.

  2. Go to your password manager key pair file and update the public and private key values in the file.

  3. Copy and paste the updated public key value from the file into the /modules/password-manager-core@publicKey property. Use the Configuration app to do so.

  4. Reenter any passwords in the Passwords app.

  5. Publish both the public key and the updated passwords to the public instances.

Bootstrapping

Content can be exported and imported for bootstrapping like any other workspace. However, the same encryption key must be used to decrypt the imported passwords as well as encrypt the export.

For security reasons, we don’t recommend bootstrapping password values.

Usage

See the Passwords app page.

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules