Encryption Configuration
This article describes how to configure internal encryption between ONE modules and how to encrypt specific properties.
In on-premise deployments, all properties listed are provided in the <module>/etc/application.properties file.
Internal encryption
The communication between ONE modules can be encrypted so that any sensitive data exchanged between the modules is protected.
For instance, when jobs are submitted to Data Processing Module (DPM) from public clients, such as ONE Desktop, the information transmitted includes sensitive data from the runtime configuration, typically connection details and credentials for the data sources that are used in the executed plan.
This data is encrypted through a one-time key that is generated by the public client and encrypted using DPM’s public key.
To access the data, DPM uses its own private key to decrypt the one-time key, which is in turn used to decrypt the data.
If the internal.encryption.* properties are configured, the sensitive data is encrypted again through the provided internal keystore.
You have the option to opt in or out of encrypting the sensitive data using the one-time key. If no one-time key is used, DPM will still execute the summited job. However, if you decide to opt out, you can still manually encrypt the runtime configuration data before any client is used to send it to DPM as long as a compatible keystore is configured in DPE.
| Using the one-time key to encrypt the runtime configuration data is the preferred option for public clients like ONE Desktop, as the keystore is pre-shared so that it is available to the client or the user encrypting the sensitive data. |
The internal keystore can also be used to decrypt data source credentials coming from other modules, mainly Metadata Management Module (MMM). In this case, the same keystore needs to be configured for both Data Processing Engine (DPE) and MMM as the data is typically decrypted in DPE. This ensures that the sensitive data is securely transmitted from MMM for data processing.
| All other communicating modules, such as MMM, must have these properties configured in the same or compatible way in order to prevent any conflicts. |
In DPE, all paths used in encryption properties (internal.encryption. and properties.encryption.) must be absolute as they are used both by DPE and external runtime processes.
|
| Make sure the file paths do not contain any space characters. |
| Property | Data type | Description |
|---|---|---|
|
String |
The full path to the keystore used for internal encryption.
For example, |
|
String |
The full path to a plaintext file with the keystore password.
For example, |
|
String |
The name of the key used for encryption from the keystore file. Not used in DPE. |
|
String |
Defines the type of cipher used for encryption. Default value: Not used in DPE and MMM. |
Properties encryption
The properties keystore lets users specify their own keys to encrypt passwords before supplying them to DPM. For example, this can be used for keys that encrypt access to the data sources that users work with.
When the same keystore is configured for DPE, users can make sure that their credentials are protected until they are used to access the data for processing.
| Make sure the file paths do not contain any space characters. |
| Property | Data type | Description |
|---|---|---|
|
String |
The full path to the keystore used for properties encryption.
For example, |
|
String |
The full path to a plaintext file with the keystore password.
For example, |
|
String |
The name of the key used for encryption from the keystore file. Not used in DPE and MMM. |
Was this page useful?