ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
latest (15.4.0) 15.3.0 15.2.0 15.1.0 14.5.x 13.9.x 13.8.x 13.7.x 13.6.x 13.5.0 13.4.x 13.3.x 13.2.x
User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

Encrypt Passwords

Ataccama provides a tool for encrypting passwords used in the Ataccama configuration files (for example, Runtime Configuration, Server Configuration).

Encrypt passwords using a generic key

You can easily encrypt a password with the out-of-the-box <ATACCAMA_HOME>/bin/encrypt.[bat|sh]. The script uses the AES encryption method.

  1. Navigate to <ATACCAMA_HOME>/bin.

  2. Run the encrypt.[bat|sh] depending on your operating system (.bat for Windows, .sh for Unix-based systems).

  3. Type your password and press Enter. For example:

    C:\<ATACCAMA_HOME>\bin>encrypt.bat
Using Java at: "C:\<ATACCAMA_HOME>\jre\bin\java.exe"
Using the runtime  at: "C:\<ATACCAMA_HOME>\runtime"
MyPassword
2019-07-29 12:15:25 [INFO]    com.ataccama.security.javaencryption.DefaultEncryptionEngine message=createDefaultKeyProvider reason=the 'properties.encryption.keystore' property not specified
crypted:AES:0HejPV+tCinibAgR2HSfsmPnfyp8XLkADs8XNU5u020=

  4. An encrypted hash of your password appears. Copy the hash and replace the plain-text password in your configuration files with the hash.

    Sample .runtimeConfig with the encrypted password
    <dataSource driverclass="org.apache.derby.jdbc.ClientDriver" name="derby"
   url="jdbc:derby://localhost:1527/dqit"
   user="dqit" password="crypted:AES:0HejPV+tCinibAgR2HSfsmPnfyp8XLkADs8XNU5u020="/>

  5. Restart ONE Runtime Server to apply changes.

Encrypt passwords using your keystore

You can encrypt passwords using your key from your Java keystore.

Prerequisites

  1. Make sure you have a keystore with keys stored.

  2. Make sure your keys have no password protection, otherwise it is not possible to use the encryption.

Store key and keystore information into JAVA_OPTS

Store information about your key and keystore into a JAVA_OPTS system variable using the following properties:

  • -Dproperties.encryption.keyAlias: The alias of your key from your JAVA keystore. The parameter is required, otherwise the default hardcoded key is used for encryption.

  • -Dproperties.encryption.keystore.password: The password to your JAVA keystore.

  • -Dproperties.encryption.keystore.passwordFile: The path to the plain-text file with your Java keystore password. Useful if you want to avoid using your keystore password in the configuration files. As an additional protection, you can restrict access rights to the file with a password.

  • -Dproperties.encryption.keystore: The path to your Java keystore.

    Specify either -Dproperties.encryption.keystore.password or -Dproperties.encryption.keystore.passwordFile property. If you specify both, *.password takes priority.

For example:

JAVA_OPTS=-Dproperties.encryption.keyAlias=256bitkey -Dproperties.encryption.keystore.password=MyPassword -Dproperties.encryption.keystore=C:/ATACCAMA_HOME/bin/keystore.jceks

Encrypt the password

Encrypt the password using the <ATACCAMA_HOME>/bin/onlinectl.[bat|sh].

For more information about the onlinectl.[bat|sh] script, see OnlineCtl.

  1. Navigate to <ATACCAMA_HOME>/bin.

  2. Run the following command:

    onlinectl.sh password <encryption_method> '<your_password>'

    Where: * encryption_method: The supported methods are: AES, DES, DESede, AES_CBC. * your_password: The password to encrypt.

    + IMPORTANT: If you omit single quotes (') when specifying your password, some special characters, such as curly brackets ({}) and the dollar sign ($), are excluded from the password.

    + For example:

    +

    C:\<ATACCAMA_HOME>\bin>onlinectl.bat password -AES_CBC MyPassword
Using Java at: "C:\<ATACCAMA_HOME>\jre\bin\java.exe"
Using the runtime at: "C:\<ATACCAMA_HOME>\runtime"
2019-07-29 12:27:10 [INFO]    com.ataccama.security.javaencryption.DefaultEncryptionEngine message=createKeyProvider providers=default,keystore, keystore=C:\<ATACCAMA_HOME>\jre\bin\keystore.jceks
2019-07-29 12:27:10 [INFO]     Creating password for 'MyPassword'
2019-07-29 12:27:11 [INFO]     The encrypted password is 'crypted:AES_CBC(256bitkey):mBZvTIgT17KGRB9iMDNUh38SFmvzJD3OqS2/7o2Sf00='

  3. An encrypted hash of your password appears. Copy the hash and replace the plain-text password in your configuration files with the hash.

    Sample .runtimeConfig with the encrypted password
    <dataSource driverclass="org.apache.derby.jdbc.ClientDriver" name="derby"
   url="jdbc:derby://localhost:1527/dqit"
   user="dqit" password="crypted:AES:0HejPV+tCinibAgR2HSfsmPnfyp8XLkADs8XNU5u020="/>

  4. Restart ONE Runtime Server to apply changes.

Re-encrypt secrets after credentials rotation

When credentials are rotated, any existing encrypted secrets must be updated to ensure compatibility with the new credentials.

To re-encrypt secrets using the encrypt[.bat|.sh] utility:

  1. Navigate to the runtime/bin directory in your Ataccama installation folder.

  2. Run the encrypt.[bat|sh] depending on your operating system (.bat for Windows, .sh for Unix-based systems).

  3. When prompted, enter the new credentials or secret you want to encrypt.

  4. The utility outputs an encrypted string (for example,crypted:AES:…​). Copy this string.

  5. Replace the old encrypted string in your configuration files with the newly encrypted secret.

  6. Test the updated configuration to ensure the change is correctly applied. For example, if you changed the data source credentials, try connecting to the given data source.

If your environment uses unique encryption keys, you also need to update the keystore configurations. For details, see Unique Encryption Keys.

Was this page useful?