Set Up Password Encryption in Datameer
Password encryption with Keyczar is only supported for Enterprise customers. Ask your Datameer representative to receive the plug-in.
For password encryption, Datameer uses the KeyczarTool.
Learn how best to set up Datameer to use password encryption. Using this setup, passwords to a database or the admin password for Datameer itself are encrypted in the live.properties
or default.properties
files. If you are using multiple property files, make sure that these passwords are only set in the overriding file. By default the following passwords are saved as plain text:
system.property.db.password
mail.password
admin.password
das.superuser.password
This guide shows you how to encrypt the above passwords using Keyczar and set up Datameer to use these encrypted values.
Requirements
The following requirements need to be met to use password encryption with Datameer.
- Datameer v5.4 or above
- The
plugin-crypto-keyczar-<datameerVersion>.zip
plug-in (can be obtained from Datameer services representatives) - Path name to a directory where the
keystore
file is saved - The JAVA_HOME environment variable needs to point to the same JAVA where Datameer loads
Setup Instructions
Before making changes to the Datameer server, stop the Datameer application using the following command:
<datameerApplicationFolder>/bin/conductor.sh stop
In the
default.properties
orlive.properties
file related to your installation, change the propertycrypto.implementation
to Keyczar.# Defines the cryptographic implementation to use to decrypt encrypted properties in our configuration files # Datameer provides two implementations: noop, keyczar crypto.implementation=keyczar
The encryption of properties in Datameer is disabled per default. Datameer provides two implementations out of the box.
noop
(No operation, passes values directly through)keyczar
(uses the Keyczar library to encrypt/decrypt values)
In the
default.properties
orlive.properties
file related to your installation, set the propertykeyczar.key.file=
. This is a path to the directory where the file lives.# In case crypto.implementation=keyczar is used, a path to the keystore directory must be set. # This can be a relative path from Datameer home or an absolute path. keyczar.key.file=<path/to/keystore-directory>
Copy the plug-in
plugin-crypto-keyczar-<datameerVersion>.zip
to theetc/custom-plugins
folder.mv plugin-crypto-keyczar-<datameerVersion>.zip <datameerApplicationFolder>/etc/customplugins
Create a
keystore
file. Note that thekeystore
directory needs to already exist before this step can be taken. Also the keystore file is namedmeta
.bin/keyczar.sh create --location=<keystore-directory> --purpose=crypt
Create and add a new key file (if it doesn't already exist).
bin/keyczar.sh addkey --location=<path/to/keystore-directory> --status=primary
Create encrypted passwords using the
crypt.sh
script (found under<datameerApplciationFolder>/bin/crypt.sh
) and copy these encrypted passwords into thedefault.properties
orlive.properties
files used for your installation.<datameerApplicationFolder>/bin/crypt.sh -e "12345" ACPmhEUjUWtKwO9qk-KXNFpEN0BKLIha2VueI2zrlpOJzf4IDwRIr7FK-qA9aCwClugnX4h2vyJA
After copying all encrypted passwords into the
*.properties
files, restart the Datameer application.<datameerApplicationFolder>/bin/conductor.sh start
Keyczar Algorithms
When doing encryption/decryption, Datameer uses AES as an algorithm. No alternative algorithms are currently supported. By default, the keys are 128 bits. 192 and 256 bit keys are also supported when the Java Cryptography Extension (JCE) Unlimited Strength file is installed.
The following command creates a key using AES with 128 bits:
bin/keyczar.sh create --location=<keystore-directory> --purpose=crypt bin/keyczar.sh addkey --location=<keystore-directory> --status=primary --size=128 bin/crypt.sh -e dap
The following command creates a key using AES with 256 bits:
bin/keyczar.sh create --location=<keystore-directory> --purpose=crypt bin/keyczar.sh addkey --location=<keystore-directory> --status=primary --size=256 bin/crypt.sh -e dap
Troubleshooting
When using a custom size an exception might occur:
Caused by: java.security.InvalidKeyException: Illegal key size or default parameters.
To fix this, make sure the unlimited strength file is installed.
The following files are required:
- Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6
- Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7
These files must be installed under $JAVA_HOME/jre/lib/security/
.