User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

Encrypt Passwords

Ataccama provides a tool for encrypting passwords used in the Ataccama configuration files (for example, Runtime Configuration, Server Configuration).

Encrypt passwords using a generic key

You can easily encrypt a password with the out-of-the-box <ATACCAMA_HOME>/bin/encrypt.[bat|sh]. The script uses the AES encryption method.

  1. Navigate to <ATACCAMA_HOME>/bin.

  2. Run the encrypt.[bat|sh].

  3. Type your password and press Enter. For example:

    C:\<ATACCAMA_HOME>\bin>encrypt.bat
    Using Java at: "C:\<ATACCAMA_HOME>\jre\bin\java.exe"
    Using the runtime  at: "C:\<ATACCAMA_HOME>\runtime"
    MyPassword
    2019-07-29 12:15:25 [INFO]    com.ataccama.security.javaencryption.DefaultEncryptionEngine message=createDefaultKeyProvider reason=the 'properties.encryption.keystore' property not specified
    crypted:AES:0HejPV+tCinibAgR2HSfsmPnfyp8XLkADs8XNU5u020=
  4. An encrypted hash of your password appears. Copy the hash and replace the plain-text password in your configuration files with the hash.

    Sample .runtimeConfig with the encrypted password
    <dataSource driverclass="org.apache.derby.jdbc.ClientDriver" name="derby"
       url="jdbc:derby://localhost:1527/dqit"
       user="dqit" password="crypted:AES:0HejPV+tCinibAgR2HSfsmPnfyp8XLkADs8XNU5u020="/>
  5. Restart ONE Runtime Server to apply changes.

Encrypt passwords using your keystore

You can encrypt passwords using your key from your Java keystore.

Prerequisites

  1. Make sure you have a keystore with keys stored.

  2. Make sure your keys have no password protection, otherwise it is not possible to use the encryption.

Store key and keystore information into JAVA_OPTS

Store information about your key and keystore into a JAVA_OPTS system variable using the following properties:

  • -Dproperties.encryption.keyAlias: The alias of your key from your JAVA keystore. The parameter is required, otherwise the default hardcoded key is used for encryption.

  • -Dproperties.encryption.keystore.password: The password to your JAVA keystore.

  • -Dproperties.encryption.keystore.passwordFile: The path to the plain-text file with your Java keystore password. Useful if you want to avoid using your keystore password in the configuration files. As an additional protection, you can restrict access rights to the file with a password.

  • -Dproperties.encryption.keystore: The path to your Java keystore.

    Specify either -Dproperties.encryption.keystore.password or -Dproperties.encryption.keystore.passwordFile property. If you specify both, *.password takes priority.

For example:

JAVA_OPTS=-Dproperties.encryption.keyAlias=256bitkey -Dproperties.encryption.keystore.password=MyPassword -Dproperties.encryption.keystore=C:/ATACCAMA_HOME/bin/keystore.jceks

Encrypt the password

Encrypt the password using the <ATACCAMA_HOME>/bin/onlinectl.[bat|sh].

For more information about the onlinectl.[bat|sh] script, see OnlineCtl.
  1. Navigate to <ATACCAMA_HOME>/bin.

  2. Run the following command:

    onlinectl.sh password <encryption_method> '<your_password>'

    Where: * encryption_method: The supported methods are: AES, DES, DESede, AES_CBC. * your_password: The password to encrypt.

    + IMPORTANT: If you omit single quotes (') when specifying your password, some special characters, such as curly brackets ({}) and the dollar sign ($), are excluded from the password.

    + For example:

    +

    C:\<ATACCAMA_HOME>\bin>onlinectl.bat password -AES_CBC MyPassword
    Using Java at: "C:\<ATACCAMA_HOME>\jre\bin\java.exe"
    Using the runtime at: "C:\<ATACCAMA_HOME>\runtime"
    2019-07-29 12:27:10 [INFO]    com.ataccama.security.javaencryption.DefaultEncryptionEngine message=createKeyProvider providers=default,keystore, keystore=C:\<ATACCAMA_HOME>\jre\bin\keystore.jceks
    2019-07-29 12:27:10 [INFO]     Creating password for 'MyPassword'
    2019-07-29 12:27:11 [INFO]     The encrypted password is 'crypted:AES_CBC(256bitkey):mBZvTIgT17KGRB9iMDNUh38SFmvzJD3OqS2/7o2Sf00='
  3. An encrypted hash of your password appears. Copy the hash and replace the plain-text password in your configuration files with the hash.

    Sample .runtimeConfig with the encrypted password
    <dataSource driverclass="org.apache.derby.jdbc.ClientDriver" name="derby"
       url="jdbc:derby://localhost:1527/dqit"
       user="dqit" password="crypted:AES:0HejPV+tCinibAgR2HSfsmPnfyp8XLkADs8XNU5u020="/>
  4. Restart ONE Runtime Server to apply changes.

Was this page useful?