Encrypt Passwords
Ataccama provides a tool for encrypting passwords used in the Ataccama configuration files (for example, Runtime Configuration, Server Configuration).
Encrypt passwords using a generic key
You can easily encrypt a password with the out-of-the-box <ATACCAMA_HOME>/bin/encrypt.[bat|sh]
.
The script uses the AES encryption method.
-
Navigate to
<ATACCAMA_HOME>/bin
. -
Run the
encrypt.[bat|sh]
. -
Type your password and press Enter. For example:
C:\<ATACCAMA_HOME>\bin>encrypt.bat Using Java at: "C:\<ATACCAMA_HOME>\jre\bin\java.exe" Using the runtime at: "C:\<ATACCAMA_HOME>\runtime" MyPassword 2019-07-29 12:15:25 [INFO] com.ataccama.security.javaencryption.DefaultEncryptionEngine message=createDefaultKeyProvider reason=the 'properties.encryption.keystore' property not specified crypted:AES:0HejPV+tCinibAgR2HSfsmPnfyp8XLkADs8XNU5u020=
-
An encrypted hash of your password appears. Copy the hash and replace the plain-text password in your configuration files with the hash.
Sample .runtimeConfig with the encrypted password<dataSource driverclass="org.apache.derby.jdbc.ClientDriver" name="derby" url="jdbc:derby://localhost:1527/dqit" user="dqit" password="crypted:AES:0HejPV+tCinibAgR2HSfsmPnfyp8XLkADs8XNU5u020="/>
-
Restart ONE Runtime Server to apply changes.
Encrypt passwords using your keystore
You can encrypt passwords using your key from your Java keystore.
Prerequisites
-
Make sure you have a keystore with keys stored.
-
Make sure your keys have no password protection, otherwise it is not possible to use the encryption.
Store key and keystore information into JAVA_OPTS
Store information about your key and keystore into a JAVA_OPTS
system variable using the following properties:
-
-Dproperties.encryption.keyAlias
: The alias of your key from your JAVA keystore. The parameter is required, otherwise the default hardcoded key is used for encryption. -
-Dproperties.encryption.keystore.password
: The password to your JAVA keystore. -
-Dproperties.encryption.keystore.passwordFile
: The path to the plain-text file with your Java keystore password. Useful if you want to avoid using your keystore password in the configuration files. As an additional protection, you can restrict access rights to the file with a password. -
-Dproperties.encryption.keystore
: The path to your Java keystore.Specify either -Dproperties.encryption.keystore.password
or-Dproperties.encryption.keystore.passwordFile
property. If you specify both,*.password
takes priority.
For example:
JAVA_OPTS=-Dproperties.encryption.keyAlias=256bitkey -Dproperties.encryption.keystore.password=MyPassword -Dproperties.encryption.keystore=C:/ATACCAMA_HOME/bin/keystore.jceks
Encrypt the password
Encrypt the password using the <ATACCAMA_HOME>/bin/onlinectl.[bat|sh]
.
For more information about the onlinectl.[bat|sh] script, see OnlineCtl.
|
-
Navigate to
<ATACCAMA_HOME>/bin
. -
Run the following command:
onlinectl.sh password <encryption_method> '<your_password>'
Where: *
encryption_method
: The supported methods are: AES, DES, DESede, AES_CBC. *your_password
: The password to encrypt.+ IMPORTANT: If you omit single quotes (
'
) when specifying your password, some special characters, such as curly brackets ({}
) and the dollar sign ($
), are excluded from the password.+ For example:
+
C:\<ATACCAMA_HOME>\bin>onlinectl.bat password -AES_CBC MyPassword Using Java at: "C:\<ATACCAMA_HOME>\jre\bin\java.exe" Using the runtime at: "C:\<ATACCAMA_HOME>\runtime" 2019-07-29 12:27:10 [INFO] com.ataccama.security.javaencryption.DefaultEncryptionEngine message=createKeyProvider providers=default,keystore, keystore=C:\<ATACCAMA_HOME>\jre\bin\keystore.jceks 2019-07-29 12:27:10 [INFO] Creating password for 'MyPassword' 2019-07-29 12:27:11 [INFO] The encrypted password is 'crypted:AES_CBC(256bitkey):mBZvTIgT17KGRB9iMDNUh38SFmvzJD3OqS2/7o2Sf00='
-
An encrypted hash of your password appears. Copy the hash and replace the plain-text password in your configuration files with the hash.
Sample .runtimeConfig with the encrypted password<dataSource driverclass="org.apache.derby.jdbc.ClientDriver" name="derby" url="jdbc:derby://localhost:1527/dqit" user="dqit" password="crypted:AES:0HejPV+tCinibAgR2HSfsmPnfyp8XLkADs8XNU5u020="/>
-
Restart ONE Runtime Server to apply changes.
Was this page useful?