No announcement yet.

DataBase Reader Password encryption.

  • Filter
  • Time
  • Show
Clear All
new posts

  • DataBase Reader Password encryption.

    Hi Team,

    I am using Database reader and connecting to Oracle DB, in Database setting option I entered the User name and Password.
    But my concern is that, even the password is not visible but it is being stored in plain text in back end and if we extract the channel and open the channel details DB password is clearly visible, also Database setting is showing the character length of password.
    After that I also try to connect DB with java script but facing the same problem there. Password security is top priority for my project and I have to find a approach to resolve it.
    Is there any way we can encrypt the password or any other security feature which i can use to increase the password security.
    if someone can help or guide me that would be really helpful for me.

    Thanks in advance.

  • #2
    I pointed this out to Mirth years ago. We had the console. They suggested then that we store the password on the console, then call the variable for the password.

    It is worse than that. If you chose use javascript for your login, it will have the password right there in text.


    • #3
      Put your credentials in the configurationMap and reference the map variables from your channel.

      The configurationMap is part of the velocity context, so you can use a velocity replacement token like ${mySecretPass} in your db reader instead of the actual string. It will mask out the velocity token like a real password, but it will still work.
      Last edited by agermano; 04-26-2019, 03:19 PM.


      • #4
        @cory_cole, thanks for the reply, I am also not sure what approach should I follow now, I couldn't find anything solid for this.

        @agermano thanks for explaining this, so far I understand from your reply is that you want me store the password in configuration Map and then using that configuration map variable I will call the password in run time and use it. But as I can see that what ever we store in configuration Map it is visible, there is no encryption. Please correct me if I didn't understand what you explained.


        • #5
          Store the password in a file on a secure server. Create a global script that will read that file and store the password into a global map. Then reference the password from the map.


          • #6
            You were correct. The password is still visible in the configurationMap settings, but it does remove it from the channel configuration so that it will not be in plain text in the export.

            This is not the same situation, but illustrates some of the same problems as with what you are asking.

            If you store the passwords on a secure server elsewhere and retrieve them, you have the same problem storing the password for the secure server somewhere in mirth. Also anyone that has access to create or edit a channel has the ability to write out map variables (configuration or global) in clear text.

            Here's a somewhat related open ticket

            There is an option to encrypt the entire channel on export (not just the password field,) but as the ticket shows, it would still be unencrypted in the database at this time (and thus accessible.) The encrypt on export is also to protect your exports, not prevent people from exporting in clear text, because the encryption happens client side, and you could easily bypass it using the REST API.

            Even if this ticket is finally resolved, mirth will still need to be able to decrypt the password, and someone that has access to create or modify channels would be able to access the key.

            Pretty much if someone has access to the channel in mirth, you can't prevent them from being able to get to the password. The best you can do is audit events to watch for people doing things they shouldn't do.

            By storing in the configurationMap, you would be able to see if they retrieved the configurationMap entries, either by going to the settings page or using the REST API. I don't have the User Roles plugin, but this is likely also a page that could be restricted to certain users if you have it.

            You would also be able to see if people are modifying channels, possibly in order to access information they shouldn't have. If you have the Channel History plugin, it will do the work for you to track all revisions by user even if they quickly change something and change it back.