Encrypting Passwords for Configuration Files

The esp_cluster_admin tool includes commands that let you encrypt passwords to avoid having sensitive data in plain text within configuration files.

Prerequisites
Set the ESP_HOME environment variable.
Task

Modify the adapter .cnxml and the database service configuration file only during project environment setup; however, since access to project configuration files is required beyond setup, Studio provides an environment in which to modify project file properties. For more information on configuring project files in Studio, see the Studio Users Guide.

  1. Use a text editor to open the desired configuration file.
  2. Within the configuration file, copy the password text you want to encrypt.
    In the following sample configuration file, the password is "Pass1234".
    <?xml version="1.0" ?>
- <Services>
- <Service Name="MyDBService" Type="DB">
  <Parameter Name="DriverType">JDBCASE</Parameter>
  <Parameter Name="Host">localhost</Parameter>
  <Parameter Name="Port">5000</Parameter>
  <Parameter Name="User">testID</Parameter>
  <Parameter Name="Password" encrypted="false">Pass1234</Parameter>
  </Service>
  </Services>
  3. From a command line, navigate to ESP_HOME/bin and launch the esp_cluster_admin tool using the encrypt_text argument and the password you want to encrypt. This command also requires host and port information as well as credentials for the ESP server. For example, where <text> is the password you want to encrypt, the syntax is:
    esp_cluster_admin --uri=esp[s]://<host>:<port> --username=<username> --password=<password> --encrypt_text --text=<text>
    The esp_cluster_admin tool writes the encrypted password to the display.
    Note: If you omit the password parameter when you call the esp_cluster_admin tool, Event Stream Processor prompts you for the password and hides it as you type, which improves security.
    Note: To encode passwords in a CSI configuration file (csi_*.xml, stored by default in ESP_HOME/security), use the encode_text command. See the Utilities Guide for details.
  4. Copy and paste the encrypted text from the utility into the configuration file you opened in step 1. Replace the original password in the Password parameter with the encrypted text, then change the encrypted="false" attribute for the parameter to encrypted="true".
    This attribute ensures that the server recognizes the password as encrypted text and decrypts it at runtime. If the attribute is set to false, the server does not recognize the password as encrypted text and tries to process the password without decrypting it, resulting in errors.
  5. Save and close the configuration file.
Parent topic: Password Encryption on Configuration Files