Securing Your CrafterCMS Install

CrafterCMS installations are pre-configured with default passwords, tokens, keys, etc. These default values are intended for initial testing, installation and configuration. Failure to change these default values creates a critical security vulnerability. To secure your CrafterCMS installation, YOU MUST CHANGE THE PRE-CONFIGURED DEFAULT VALUES.

Here are the parameters for which you must change the default values:

  • Replace default values for configuration files encryption key and salt

    CRAFTER_HOME/bin/crafter-setenv.sh
    # -------------------- Encryption variables --------------------
# These variables are used to encrypt and decrypt values inside the configuration files.
export CRAFTER_ENCRYPTION_KEY=${CRAFTER_ENCRYPTION_KEY:="default_encryption_key"}
export CRAFTER_ENCRYPTION_SALT=${CRAFTER_ENCRYPTION_SALT:="default_encryption_salt"}

  • Replace the default values for database values encryption key and salt. Remember that these values should not be changed after CrafterCMS has been started if the installation has one or more of the following:

    • Remote repository passwords and keys

    • Cluster passwords and keys

      CRAFTER_HOME/bin/crafter-setenv.sh
      # These variables are used by Studio to encrypt and decrypt values in the database.
export CRAFTER_SYSTEM_ENCRYPTION_KEY=${CRAFTER_SYSTEM_ENCRYPTION_KEY:="s0meDefaultKey"}
export CRAFTER_SYSTEM_ENCRYPTION_SALT=${CRAFTER_SYSTEM_ENCRYPTION_SALT:="s0meDefaultSalt"}

  • Replace default values for the management tokens used by Studio, Engine, Deployer, Search, Profile and Social

    CRAFTER_HOME/bin/crafter-setenv.sh
    # -------------------- Management tokens ----------------
# Please update this per installation and provide these tokens to the status monitors.
export STUDIO_MANAGEMENT_TOKEN=${STUDIO_MANAGEMENT_TOKEN:="defaultManagementToken"}
export ENGINE_MANAGEMENT_TOKEN=${ENGINE_MANAGEMENT_TOKEN:="defaultManagementToken"}
export DEPLOYER_MANAGEMENT_TOKEN=${DEPLOYER_MANAGEMENT_TOKEN:="defaultManagementToken"}
export SEARCH_MANAGEMENT_TOKEN=${SEARCH_MANAGEMENT_TOKEN:="defaultManagementToken"}
export PROFILE_MANAGEMENT_TOKEN=${PROFILE_MANAGEMENT_TOKEN:="defaultManagementToken"}
export SOCIAL_MANAGEMENT_TOKEN=${SOCIAL_MANAGEMENT_TOKEN:="defaultManagementToken"}

  • Replace the default value for the access token used by Search

    CRAFTER_HOME/bin/crafter-setenv.sh
    # -------------------- Access tokens ----------------
# Please update this per installation.
export SEARCH_ACCESS_TOKEN=${SEARCH_ACCESS_TOKEN:="defaultAccessToken"}

  • Replace default values for the DB root password and the DB crafter user password before starting CrafterCMS for the very first time.

    CRAFTER_HOME/bin/crafter-setenv.sh
    # -------------------- MariaDB variables --------------------
...
export MARIADB_ROOT_PASSWD=${MARIADB_ROOT_PASSWD:="root"}
...
export MARIADB_PASSWD=${MARIADB_PASSWD:="crafter"}

    To change the values after the initial start of CrafterCMS, do the following:

    1. Manually change the DB passwords

      First, login to the database as root. From the command line in the server, go to CRAFTER_HOME/bin/dbms/bin and run the following command:

      /mysql -u root -p --socket=/tmp/MariaDB4j.33306.sock

      To change the root password, run the following command:

      ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass';

      Remember to replace MyNewPass with the actual password you want to set, and if you are connecting to the DB from another host, change localhost with the remote hostname or IP address.

      To change the crafter user password, run the following command, similar to changing the root password.

      ALTER USER 'crafter'@'localhost' IDENTIFIED BY 'MyNewCrafterPass';

      Again, remember to replace MyNewCrafterPass with the actual password you want to set, and if you are connecting to the DB from another host, change localhost with the remote hostname or IP address.

    2. Stop Studio

    3. Update the values in the configuration file crafter-setenv.sh with the new password used in the previous step

      CRAFTER_HOME/bin/crafter-setenv.sh
      # -------------------- MariaDB variables --------------------
...
export MARIADB_ROOT_PASSWD=${MARIADB_ROOT_PASSWD:="MyNewPass"}
...
export MARIADB_PASSWD=${MARIADB_PASSWD:="MyNewCrafterPass"}

    4. Restart Studio

  • Change the default Studio admin user password either by randomizing the admin password for a fresh install of Crafter Studio or by changing the password after logging in as user admin. For more information on randomizing the admin password for a fresh install, see Randomize “admin” Password for CrafterCMS Fresh Install. For more information on changing user passwords, see User passwords

  • Set session cookies as HTTP Only and Secure by setting the flags to true in your tomcat web.xml file

    CRAFTER_HOME/bin/apache-tomcat/conf/web.xml
    1<session-config>
2  <session-timeout>1</session-timeout>
3  <cookie-config>
4    <http-only>true</http-only>
5    <secure>true</secure>
6  </cookie-config>
7</session-config>