• Document Up to Date

Securing Your CrafterCMS Install

CrafterCMS installations are pre-configured with default passwords, tokens, keys, etc. These default values are intended for initial testing, installation and configuration. We recommend changing the default values for the following parameters to secure your CrafterCMS installation:

  • Replace default values for configuration files encryption key and salt

    CRAFTER_HOME/bin/crafter-setenv.sh
    # -------------------- Encryption variables --------------------
    # These variables are used to encrypt and decrypt values inside the configuration files.
    export CRAFTER_ENCRYPTION_KEY=${CRAFTER_ENCRYPTION_KEY:="default_encryption_key"}
    export CRAFTER_ENCRYPTION_SALT=${CRAFTER_ENCRYPTION_SALT:="default_encryption_salt"}
    

  • Replace the default values for database values encryption key and salt. Remember that these values should not be changed after CrafterCMS has been started if the installation has one or more of the following:

    • Remote repository passwords and keys

    • Cluster passwords and keys

      CRAFTER_HOME/bin/crafter-setenv.sh
      # These variables are used by Studio to encrypt and decrypt values in the database.
      export CRAFTER_SYSTEM_ENCRYPTION_KEY=${CRAFTER_SYSTEM_ENCRYPTION_KEY:="s0meDefaultKey"}
      export CRAFTER_SYSTEM_ENCRYPTION_SALT=${CRAFTER_SYSTEM_ENCRYPTION_SALT:="s0meDefaultSalt"}
      

  • Replace default values for the management tokens used by Studio, Engine, Deployer, Search, Profile and Social

    CRAFTER_HOME/bin/crafter-setenv.sh
    # -------------------- Management tokens ----------------
    # Please update this per installation and provide these tokens to the status monitors.
    export STUDIO_MANAGEMENT_TOKEN=${STUDIO_MANAGEMENT_TOKEN:="defaultManagementToken"}
    export ENGINE_MANAGEMENT_TOKEN=${ENGINE_MANAGEMENT_TOKEN:="defaultManagementToken"}
    export DEPLOYER_MANAGEMENT_TOKEN=${DEPLOYER_MANAGEMENT_TOKEN:="defaultManagementToken"}
    export SEARCH_MANAGEMENT_TOKEN=${SEARCH_MANAGEMENT_TOKEN:="defaultManagementToken"}
    export PROFILE_MANAGEMENT_TOKEN=${PROFILE_MANAGEMENT_TOKEN:="defaultManagementToken"}/*
    export SOCIAL_MANAGEMENT_TOKEN=${SOCIAL_MANAGEMENT_TOKEN:="defaultManagementToken"}
    

  • Replace default values for the DB root password, the DB crafter user password and the DB replication user password (if running in a primary/replica cluster) before starting CrafterCMS for the very first time.

    CRAFTER_HOME/bin/crafter-setenv.sh
    # -------------------- MariaDB variables --------------------
    ...
    export MARIADB_ROOT_PASSWD=${MARIADB_ROOT_PASSWD:="root"}
    ...
    export MARIADB_PASSWD=${MARIADB_PASSWD:="crafter"}
    ...
    export MARIADB_REPLICATION_PASSWD=${MARIADB_REPLICATION_PASSWD:="crafter_replication"}
    

    To change the values after the initial start of CrafterCMS, do the following:

    1. Manually change the DB passwords

      First, login to the database as root. From the command line in the server, go to CRAFTER_HOME/bin/dbms/bin and run the following command:

      /mysql -u root -p --socket=/tmp/MariaDB4j.33306.sock
      

      To change the root password, run the following command:

      ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass';
      

      Remember to replace MyNewPass with the actual password you want to set, and if you are connecting to the DB from another host, change localhost with the remote hostname or IP address.

      To change the crafter user password, run the following command, similar to changing the root password.

      ALTER USER 'crafter'@'localhost' IDENTIFIED BY 'MyNewCrafterPass';
      

      Again, remember to replace MyNewCrafterPass with the actual password you want to set, and if you are connecting to the DB from another host, change localhost with the remote hostname or IP address.

      To change the crafter_replication replication user password, run the following command, similar to changing the root password.

      ALTER USER 'crafter_replication'@'localhost' IDENTIFIED BY 'MyNewReplicationPass';
      

      Again, remember to replace MyNewReplicationPass with the actual password you want to set, and if you are connecting to the DB from another host, change localhost with the remote hostname or IP address.

    2. Stop Studio

    3. Update the values in the configuration file crafter-setenv.sh with the new password used in the previous step

      CRAFTER_HOME/bin/crafter-setenv.sh
      # -------------------- MariaDB variables --------------------
      ...
      export MARIADB_ROOT_PASSWD=${MARIADB_ROOT_PASSWD:="MyNewPass"}
      ...
      export MARIADB_PASSWD=${MARIADB_PASSWD:="MyNewCrafterPass"}
      

    4. Restart Studio

  • Change the default Studio admin user password either by randomizing the admin password for a fresh install of Crafter Studio or by changing the password after logging in as user admin. For more information on randomizing the admin password for a fresh install, see Randomize “admin” Password for CrafterCMS Fresh Install. For more information on changing user passwords, see User passwords

  • Set session cookies as HTTP Only and Secure by setting the flags to true in your tomcat web.xml file

    CRAFTER_HOME/bin/apache-tomcat/conf/web.xml
    1<session-config>
    2  <session-timeout>1</session-timeout>
    3  <cookie-config>
    4    <http-only>true</http-only>
    5    <secure>true</secure>
    6  </cookie-config>
    7</session-config>
    
  • Replace default values for all the variables used to control the access tokens used for Studio’s API

    CRAFTER_HOME/bin/crafter-setenv.sh
     1# -------------------- Studio's access tokens ---------------------
     2# *************************************************************************************
     3# ************************* IMPORTANT *************************************************
     4# The following variables are used to control the access tokens used for Studio's API,
     5# please replace all default values to properly secure your installation
     6# *************************************************************************************
     7
     8# Issuer for the generated access tokens
     9export STUDIO_TOKEN_ISSUER=${STUDIO_TOKEN_ISSUER:="Crafter Studio"}
    10# List of accepted issuers for validation of access tokens (separated by commas)
    11export STUDIO_TOKEN_VALID_ISSUERS=${STUDIO_TOKEN_VALID_ISSUERS:="Crafter Studio"}
    12# The audience for generation and validation of access tokens (if empty the instance id will be used)
    13export STUDIO_TOKEN_AUDIENCE=${STUDIO_TOKEN_AUDIENCE:=""}
    14# Time in minutes for the expiration of the access tokens
    15export STUDIO_TOKEN_TIMEOUT=${STUDIO_TOKEN_TIMEOUT:=5}
    16# Password for signing the access tokens (needs to be equal or greater than 512 bits in length)
    17export STUDIO_TOKEN_SIGN_PASSWORD=${STUDIO_TOKEN_SIGN_PASSWORD:="s0meDefaultTokenSignPasswd"}
    18# Password for encrypting the access tokens
    19export STUDIO_TOKEN_ENCRYPT_PASSWORD=${STUDIO_TOKEN_ENCRYPT_PASSWORD:="s0meDefaultTokenEncryptPasswd"}
    20# Name of the cookie to store the refresh token
    21export STUDIO_REFRESH_TOKEN_NAME=${STUDIO_REFRESH_TOKEN_NAME:="refresh_token"}
    22# Time in seconds for the expiration of the refresh token cookie
    23export STUDIO_REFRESH_TOKEN_MAX_AGE=${STUDIO_REFRESH_TOKEN_MAX_AGE:=300}
    24# Indicates if the refresh token cookie should be secure (should be true for production environments behind HTTPS)
    25export STUDIO_REFRESH_TOKEN_SECURE=${STUDIO_REFRESH_TOKEN_SECURE:="false"}