Encryption in MOB_PREFERENCES

Preference configuration values are stored encrypted in the MOB_PREFERENCES table.

Prefix encrypted preferences values with the encryption algorithm, such as:
  • {AES-128-PBKDF2}<ENCRYPTED-VALUE>
  • {AES-256-PBKDF2}<ENCRYPTED-VALUE >

Decryption is transparent to an application; however, the developer who is using a particular preferences node must explicitly enable encryption-support for that node explicitly.

For Mobiliser, the encryption/decryption key is configured in:

SMP_HOME\Server\config_master\com.sybase365.mobiliser.util.prefs.encryption.aes\com.sybase365.mobiliser.util.prefs.encryption.aes.properties

For applications using remote access to preferences, configure the encryption/decryption key using one of these methods:
  • System property-Dcom.sybase365.mobiliser.money.prefs.secret=<KEY>
  • JNDI entry<Environment description="Preferences key" name="prefs/secret" type="java.lang.String" value="<KEY>" />

    The JDNI entry is usually configured in <TOMCAT_HOME>/conf/server.xml.

  • Property file on class pathsybase-preferences.properties

    with line: encryption-secret=<KEY>

The AES/CBC/PKCS5Padding encryption is automatically used. The encrypted value must be Base64-encoded, and the first 16 bytes are interpreted as the initialization vector (IV). The encryption key is derived from the password using PBKDF2HmacWithSHA1 hashing with the static salt {97,101,105,111,117,85,79,73,69} and 65536 iterations. SAP Mobile Platform Server includes an executable JAR in the ./tools folder that encrypts configuration values according to this specification.

Run: 
./tools> java -jar SMP_HOME\Server\tolls\mobiliser\com.sybase365.mobiliser.vanilla.cli-tools-5.1.0.RELEASE-CLIEncrypterClient.jar 
<KEY> <TEXT> [<KEYLENGTH>]
Note: In SAP Mobile Platform installations, the encryption tool requires the installation of X-Windows in the system environment to execute properly; however, for Mobiliser Platform 5.1 SP01 and later installations, you can run the encryption tool without X-Windows capability.  The <KEY> must match the configured key from one of the configuration places listed above. <KEYLENGTH> is optional and defaults to 128 bits; 256 works only if you have updated your Java encryption policy file.

Alternatively, once your system is up and running you can also log in to the Operations Dashboard to change the preferences through the portal. Use the same encryption key there as well.

Parent topic: Encryption and Keystore Configuration
Related tasks
Creating the Keystore for Data Encryption