Encrypting Configuration Files

SAP Mobile Platform Server configuration files in <SMP_HOME>\Server\config_master\XXX folder support encrypted configuration values.

Within each configuration directory under config_master, there is a file called metaconfig.json. Within this file, the "apply strategy" should be set to "config admin". The master key for encrypting the encrypted configuration values is stored in the<SMP_HOME> \Server\props.ini file:
  • -DsecretKey=<PASSWORD>
  • -DsecretKeylength=<128|256>
The 256-bit key length works only if you replaced the JVM's encryption policy files; the decryption of these values happens transparently to the application. This also means that inside the SAP Mobile Platform Server, encrypted values are in clear text. To indicate that a value is encrypted, it must be prefixed with {enc}. An entry must look like:


The SAP Mobile Platform Server includes an executable JAR in <SMP_HOME>\Server\tools\cipher folder to encrypt configuration values according to this specification. Simply run:
\tools\cipher>Java โ€“jar CLIEncrypter.jar <KEY> <TEXT> [<KEYLENGTH>] 

The <KEY> must match the configured key from <SMP_HOME>\Server\props.ini, <KEYLENGTH> is optional and defaults to 128 bits - 256 will only work if you have updated your Java encryption policy file.

Alternative Method Using OSGi

The AES/CBC/PKCS5Padding encryption is used. The encrypted value is expected to be Base64-encoded, and the first 16 bytes are interpreted as the initialization vector (IV). The encryption key is derived from the password using PBKDF2HmacWithSHA1 hashing with the static salt {97,101,105,111,117,85,79,73,69} and 65536 iterations.
SAP Mobile Platform Server includes a command that encrypts configuration values according to this specification:
- >osgi>cm_security  enc <TEXT> 
osgi>cm_security enc password   Encoded Text:QWIFsLnfJeE78tkRDx8ES3xDkNHbrbWdvNsEzfdv6IA= 
osgi>cm_security dec QWIFsLnfJeE78tkRDx8ES3xDkNHbrbWdvNsEzfdv6IA=Decoded Text:password