Skip to main content
Skip table of contents

Zookeeper sensitive configuration encryption

Enhanced Security for Sensitive Configuration Data: We've implemented robust encryption for sensitive configuration values (passwords, keys, etc.) stored in Zookeeper, ensuring they are protected both at rest and during access.

Key Improvements:

  • Automatic Encryption: Sensitive values are automatically encrypted when saved and decrypted just in memory when used, providing seamless security and eliminating manual operational overhead.

  • UI Masking: Sensitive fields are masked with "********" in the Admin UI, preventing accidental exposure.

  • Smart Editing: The UI intelligently handles edits to sensitive fields, preserving existing values unless a new, valid input is provided.

  • Broad Coverage: This release delivers encryption support for critical settings across the following UI configuration areas:

    • Admin Auth (Keystore, Proxy, OIDC)

    • Email (Proxy, SMTP, Digital Signature)

    • LDAP Connections

    • MSGraph (Entra ID)

    • SMS (SMTP, Twilio)

  • Secure Connection Testing: Connection tests (e.g., LDAP) utilize stored encrypted values, ensuring security without requiring repeated entry.

Functionality:

Within the Websec Admin UI, sensitive fields are always displayed as eight asterisks ("********").

  • "Edit Settings" Behavior:

    • If you attempt to save settings with an empty field, only whitespace, or "********" in a sensitive field, the stored value will be preserved.

    • If you edit other settings but leave the sensitive field unchanged, the stored value will be preserved upon saving.

    • Clearing a sensitive field or entering only whitespace will also preserve the stored value.

    • Any new, valid input for a sensitive field will be encrypted and stored when you save the settings.

  • "Test Connection" Operations:

    • If a sensitive field is left as "********", replaced with whitespace, or cleared before a "test connection" (e.g., LDAP), the stored encrypted value will be used.

    • Entering a new value in a sensitive field for a "test connection" will use that new value.

Configuration:

Encryption is automatically enabled on update/install. Encryption key is automatically generated. Below are the general operating scenarios instructions.

To enable Zookeeper configuration encryption, set the enableConfigurationEncryption property to true.

Once enabled, all subsequent updates to sensitive fields will be automatically encrypted before being persisted to Zookeeper and decrypted when retrieved. Setting enableConfigurationEncryption to false will prevent new updates from being encrypted, but previously encrypted values will remain encrypted.

Important: There is another enabled property within the Data Protection configuration that controls Cassandra data encryption. It is independent of the enableConfigurationEncryption setting for Zookeeper. You can have Cassandra encryption disabled (enabled: false) and still have Zookeeper configuration encryption enabled (enableConfigurationEncryption: true).

image-20250331-214844.png

Usage:

  • Web Admin Dedicated UI:

    • Sensitive values are displayed as "********" in dedicated UI settings screens.

      image-20250331-214928.png

    • The UI displays an "********" overlay, not the actual value, to prevent eavesdropping during input. The asterisks are small.

      image-20250331-215009.png

    • Clicking the "eye" toggle reveals the value. If it's the stored encrypted value, you'll see "********" (larger, gray).

      image-20250331-215059.png

    • Leaving the value unchanged preserves the stored value upon saving.

    • Entering whitespace or removing the "********" also preserves the stored value.

    • Entering a new value will display the new value or the appropriate number of asterisks (overlay), depending on the "eye" toggle state.

  • Settings / Advanced:

    • Sensitive values are displayed as "********" when editing Zookeeper configuration files directly.

      image-20250331-215237.png

    • Leaving the value as "********", empty (""), or whitespace preserves the stored value.

    • Entering a new value will persist that new value.

    • Important Notes:

      • The "Advanced Settings" section does not have the "mask overlay," so exercise caution to prevent eavesdropping.

      • Sensitive fields are filtered in the UI as described, regardless of the enableConfigurationEncryption setting.

List of supported string values for encryption:

The 3.8 release supports sensitive configuration values encryption for the following settings:

  • Admin Auth:

    • KeystoreConfiguration: storePass (Settings / Admin auth / SAML KEY MANAGEMENT / "Keystore password")

    • AdminAuthConfiguration: proxySecret (Settings / Admin auth / CERTIFICATE AUTH / "Proxy secret")

    • OidcAuthConfiguration: clientSecret (Settings / Admin auth / OIDC AUTH / Client secret)

    • Password: value (Not needed; dedicated interface prevents editing)

  • Email:

    • EmailProxy: proxyPassword (Settings / Messaging / Email / EmailProxy / "Proxy Password")

    • EmailConfiguration: smtpAuthPwd (Settings / Messaging / Email / "Smtp Auth Pwd"; Quick Actions / "5 Email" / "Auth Password")

    • EmailDigitalSignature: digitalSignaturePassword (Settings / Messaging / Email / Email Digital Signature / "Digital Signature Password")

  • LDAP:

    • LdapConnection: credentialsPassword (Settings / Services / LDAP / Edit <connection> / "Password"; Quick Actions / "1 Connect" / "Password")

  • MSGraph:

    • MsGraphConfiguration: clientSecret (Settings / “Entra ID” / “Client secret”)

  • SMS:

    • SMTPConfiguration: password (Settings / Messaging / SMS / SMTP Gateway; Quick Actions / “6 SMS”)

    • TwilioConfiguration: smsServicePassword (Settings / Messaging / SMS / Twilio Integration; Quick Actions / “6 SMS”)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close