Encryption Algorithm

Version

Application Scenario

There are two built-in encryption algorithms for switching in the FanRuan system.

You (as admin) can switch between default encryption and Guomi encryption. After you switch the encryption method, the transmission, storage, and user passwords are encrypted by the Guomi algorithm.

Switching encryption methods does not affect the normal use of the FanRuan system, and users and permissions will not change.

Encryption Algorithm Introduction

Projects in V11.0.14 and later versions utilize asymmetric encryption algorithms by default.

Projects in V11.0.13 and earlier versions utilize symmetric encryption algorithms by default.

Note:

This document only describes how to switch built-in algorithms.

This example shows how to switch the algorithm from the default algorithm to the Guomi algorithm. You can also perform a reverse operation, and the steps are consistent.

Notes Before Switching

1. The configuration database utilized by the FanRuan application must be External Database Configuration, and you cannot switch encryption algorithms in the system that utilizes the internal database.

The utilized user in the configuration database must have read, write, and execute permissions of the database.

2. After the encryption algorithm is switched in a cluster environment, other nodes cannot connect to the configuration database, nodes cannot communicate with each other, and the encryption method cannot be changed synchronously between nodes.

Therefore, if you want to change the encryption algorithm in the cluster environment, shut down other nodes first and switch algorithms in the single-node environment.

After the successful switch, manually copy the /webroot/WEB-INF/config folder of this node to another node, and then start another node to switch the encryption algorithm.

3. If the system utilizes a Guomi algorithm, the project cannot be rolled back to an earlier version.

4. When you switch the encryption algorithm, you need to reset the super admin's password.

Switching encryption algorithms will the super admin's password. Therefore, the super admin is advised to assign the system management permission in Security Management.

5. After you switch the encryption algorithm, for the manually added/imported/synchronized user whose information can be edited, the user's password is automatically reset to 123456.

6. After you switch the encryption algorithm, the designer version of the remote connection system must be consistent with the system, and the inconsistency of JAR packages will lead to remote connection failure or system access failure.

7. If you want to enable the configuration data in the database when you switch to the external configuration database, ensure that the encryption method of the current project is the same as that of the data in the configuration database.

If the encryption methods are inconsistent, serious problems, for example, project login failure may occur after the external configuration database is enabled.

Function Entry

1. Log in to the FineReport system as the super admin, choose System Management > Security Management > Security, and click the switch button beside the encryption algorithm.

2. Select Guomi Algorithm, click One-click Switch, and the prompt box is displayed, as shown in the following figure.

The current project will be backed up before you change the encryption method, which may take a long time. Ensure that the system is not in use.

After the encryption method is changed, the user password added/imported/synchronized with editable user information will be reset to 123456 and the administrator account will also be reset. Sure to change the encryption method?

Automatic Project Backup

Click OK to automatically save the current project and the prompt message"Backing up...Do not shut down the server." will be displayed, as shown in the following figure.

Note:

1. You can view the backup file under System Management > Intelligent O&M > Backup&Restoration > Manual Backup. For details, see Backup and Restore.

2. During the backup, users who are using the data decision system cannot use the project properly. The project can be accessed only after the password of the super admin account is successfully reset.

Algorithm Switch

When you switch the encryption algorithm, the prompt message "Switching the encryption algorithm..." is displayed, as shown in the following figure.

After the successful switch, the prompt message "The encryption algorithm is switched successfully. Reset the administrator account. If you need to use the designer, upgrade the designer to the same version." is displayed, as shown in the following figure.

Password Reset

Click OK to finish switching the encryption algorithm. The super admin jumps to the page that allows the super admin to reset the super admin's account and password, as shown in the following figure.

Overall Success

All the processes are correct, the transmission and storage encryption switch is successful, and the encryption algorithm switch is successful.

After the successful encryption algorithm switch, the password stored in the system will be automatically replaced. The following describes the details:

1. The super admin jumps to the page that allows the super admin to reset the super admin's account and password automatically to reset the super admin's account and password.

2. The following describes the details about the user password:

For the synchronized user whose information cannot be edited, the synchronization is triggered and the user password is retained.

For the synchronized user whose information cannot be edited, the user password is reset to 123456 (plaintext).

For the manually added/imported user, the user password is reset to 123456 (plaintext).

3. The system will automatically replace the encryption algorithm of the password in the FineDB database with the password generated by the new encryption algorithm.

4. The system will automatically change the encryption algorithm in the transmission process and the connection password algorithm of the external database.

Overall Failure

The overall switches of the encryption algorithm fail, and the previous encryption algorithm is used for transmission and storage.

1. The wrong commercial Guomi is used.

2. The project backup fails.

3. The external database password update fails.

Partial Failure

Switches of partial passwords fail and the others succeed.

1. The switch of the database storage password fails.

Prompt:

The database storage password (such as database connection password and mailbox password) update fails.

Reset the password after resetting the admin account. If you use the designer, update it to the same version.

2. The switch of the built-in/synchronized user password fails.

Prompt:

Only the built-in user password switch fails: The synchronized user password switch succeeds, the built-in user password switch fails, and the user password cannot be updated.

Only the synchronized user password switch fails: The synchronized user password switch fails, the built-in user password switch succeeds, and the user password cannot be updated.

Both the built-in and synchronized user password switches fail: The synchronized user password switch fails, the built-in user password switch fails, and the user password cannot be updated.

Both the built-in and synchronized user password switch succeed: There will be no prompt.

3. Both the switches of the database storage password and user password fail.

The prompts that are displayed above the two scenarios appear together.

Key File Update for the Default Algorithm

In symmetric and asymmetric encryption, the key is crucial to protect data security. Some companies and enterprises require regular key changes to ensure long-term system security and data confidentiality.

1. Prerequisite for Use

The key file will be backed up before updating, which may take a long time. Ensure that the system is not in use.

The project that utilizes the default algorithm supports the key file update, while the Guomi algorithm does not support the update.

The configuration database utilized by the FanRuan application must be external, and you cannot switch encryption algorithms in the system that utilizes the internal database.

2. Key Update

Log in to the FineReport system as the admin, choose System Management > Security Management > Security, and click the One-Click Update button beside the encryption algorithm.

Wait until the prompt message "The key file is updated successfully." is displayed.

Asymmetric/Symmetric Encryption Switch

Projects in 11.0.14 and later versions utilize asymmetric encryption algorithms by default, and projects in 11.0.13 and earlier versions utilize symmetric encryption algorithms.

For projects in 11.0.14 and later versions, you can switch between symmetric and asymmetric encryption algorithms as needed.

1. Close the project.

2. Go to the /webroot/WEB-INF/config directory and find the encryption.properties configuration file.

3. Edit the encryption.properties configuration file and modify the value of the transmission.asymmetric parameter.

4. Restart the project to switch the encryption algorithm type.

The following table describes the parameters.