Encrypting sensitive configuration values

Configuration encryption provides privacy and increased security for sensitive configuration values such as passwords.

Activate configuration encryption for privacy and increased security for sensitive configuration values such as passwords. Sensitive configuration values within the OpsCenter UI are encrypted on-the-fly, then transmitted and written in an encrypted state to the relevant configuration files. Manually editing configuration files requires manually encrypting the value and pasting it in the appropriate location. Use the OpsCenter system key tool to manually encrypt configuration values.

System encryption key

An OpsCenter system key tool allows creating a key used for encryption on the opscenterd machine and all the nodes in a cluster. The system key tool resides in the bin directory of opscenterd. Decrypting values is not supported.
System key encryption modes and strengths
AES encryption modes (cipher algorithm) Key strengths
ECB 128- or 256-bit
CBC 128- or 256-bit
CFB 128- or 256-bit
OFB 128- or 256-bit
Note: Using 256-bit key strength requires upgrading the JRE with enhanced security jar files. Download and install the Java Cryptography Extension (JCE), unzip the jar files, and place them under $JAVA_HOME/jre/lib/security. JCE-based products are restricted for export to certain countries by the U.S. Export Administration Regulations.

Encrypted fields

When configuration encryption is active in OpsCenter, any sensitive configuration values in the OpsCenter UI that are required to be encrypted are encrypted automatically by OpsCenter. The majority of sensitive configuration values can only be changed by directly editing the appropriate configuration file with the manually encrypted configuration value.

The cluster configuration cluster_name.conf fields that require encryption include:
  • [jmx]: password
  • [cassandra]: password, ssl_keystore_password, ssl_truststore_password
  • [storage_cassandra]: password, ssl_keystore_password, ssl_truststore_password
  • [agents]: ssl_keystore_password (monitored cluster), storage_ssl_keystore_password (storage cluster)
  • [agent_kerberos]: keytab, ticket_cache
  • [ldap]: search_password
You are not required to configure the following agent configuration fields in address.yaml. OpsCenter provides the values from opscenterd.conf to the agents when it connects.
Note: If you set the agent configuration fields values in address.yaml, and set config_encryption_active to true in address.yaml in addition to opscenterd.conf, you must supply the encrypted values for those fields.
The agent configuration fields that require encryption include:
  • jmx_pass
  • cassandra_pass
  • monitored_cassandra_pass
  • ssl_keystore_password (storage cluster)
  • monitored_ssl_keystore_password (monitored cluster)

cluster_name.conf 

The location of the cluster_name.conf file depends on the type of installation:

  • Package installations: /etc/opscenter/clusters/cluster_name.conf
  • Tarball installations: install_location/conf/clusters/cluster_name.conf

opscenterd.conf 

The location of the opscenterd.conf file depends on the type of installation:

  • Package installations: /etc/opscenter/opscenterd.conf
  • Tarball installations: install_location/conf/opscenterd.conf

address.yaml 

The location of the address.yaml file depends on the type of installation:

  • Package installations: /var/lib/datastax-agent/conf/address.yaml
  • Tarball installations: install_location/conf/address.yaml