Encrypting Passwords in the Cluster Node Configuration File

Use the esp_encrypt executable to encrypt passwords in a cluster node configuration file (<node-name>.xml) for new nodes, or to re-encrypt existing values.

During installation, ESP encrypts passwords in <node-name>.xml for the cache, keystore, and key elements. Encrypt passwords in <node-name>.xml only when you configure a new node or cluster (before you start it), or when you need to re-encrypt a password or property using a new key file.

The key password element is optional. While the keystore password locks the entire keystore, the key password only locks a specific key within the store. If the key password is not specified, ESP uses the same password for both elements.

  1. Shut down the affected node or, in some cases, the entire cluster:
    Before you... Shut down...
    Encrypt a password in <node-name>.xml that has not changed (password value is already in the file) The node
    Change and encrypt a password or keypassword in the Cache or Keystore section of <node-name>.xml All nodes in the cluster
    Note: If you choose to encrypt passwords in the Keystore element of a new node, first configure the Keystore section of <node-name>.xml. The Type, File, and Password elements in Keystore require values. A default value is provided for Type, but you must fill in File and Password values.
  2. Use a text editor to open the cluster node configuration file:
    ESP_HOME/cluster/nodes/<node-name>/<node-name>.xml
  3. If you are encrypting a password that is already in the cluster node configuration file, copy the password you want to encrypt.
    In the following section of a sample cluster node configuration file, the keystore password is "Pass1234".
    <Security>
      .
      .
      . 
      <Cipher>  
            <File>ESP_HOME/cluster/keys/<cluster-name>/cluster.key</File> 
      </Cipher> 
      <Keystore>  
           <Type>JKS</Type>
           <File>ESP_HOME\security\keystore_rsa.jks</File>
           <Password prompt="true">Pass1234</Password>
           <Algorithm>RSA</Algorithm>
      </Keystore>
      .
      .
      .
</Security>
  4. Note the value in the Cipher element. This is the cluster key file required to encrypt passwords. If the Cipher element does not exist:
    1. Create a cluster key. From a command line, navigate to ESP_HOME/bin and launch the esp_encrypt executable using the --create-key option:
      esp_encrypt --create-key cluster.key
      The command writes a new key to the file cluster.key.
    2. Add the Cipher element to <node-name>.xml using the format in step 3.
  5. From a command line, navigate to ESP_HOME/bin and launch the esp_encrypt executable using the --encrypt option:
    esp_encrypt --encrypt <key-file> --text <text>
    If you enter the --text value successfully, the esp_encrypt executable writes the encrypted text to the display.
  6. Copy and paste the encrypted text from the utility into the cluster node configuration file you opened in step 2. Replace the original value in the Password or KeyPassword parameters for the Keystore or Cache elements with the encrypted text.
  7. Ensure that the encrypted attribute in each password that receives encrypted text is set to encrypted="true".
    This attribute ensures that the server recognizes the password as encrypted text and decrypts it at runtime. If the attribute is not set to true, the server does not recognize the password as encrypted text and tries to process the password without decrypting it, resulting in errors.
  8. Save and close the cluster node configuration file.
Parent topic: Encryption
Related tasks
Stopping a Node or Cluster