Encrypting sensitive configuration values
Configuration encryption provides privacy and increased security for sensitive configuration values such as passwords.
Activate configuration encryption for privacy and increased security for sensitive configuration values such as passwords. Sensitive configuration values within the OpsCenter UI are encrypted on-the-fly, then transmitted and written in an encrypted state to the relevant configuration files. Manually editing configuration files requires manually encrypting the value and pasting it in the appropriate location. Use the OpsCenter system key tool to manually encrypt configuration values.
System encryption key
AES encryption modes (cipher algorithm) | Key strengths |
---|---|
ECB | 128- or 256-bit |
CBC | 128- or 256-bit |
CFB | 128- or 256-bit |
OFB | 128- or 256-bit |
$JAVA_HOME/jre/lib/security
. JCE-based products are
restricted for export to certain countries by the U.S. Export Administration
Regulations.Encrypted fields
When configuration encryption is active in OpsCenter, any sensitive configuration values in the OpsCenter UI that are required to be encrypted are encrypted automatically by OpsCenter. The majority of sensitive configuration values can only be changed by directly editing the appropriate configuration file with the manually encrypted configuration value.
The cluster configuration cluster_name.conf fields that require encryption include:[jmx]
:password
[cassandra]
:password
,ssl_keystore_password
,ssl_truststore_password
[storage_cassandra]
:password
,ssl_keystore_password
,ssl_truststore_password
[agents]
:ssl_keystore_password
(monitored cluster),storage_ssl_keystore_password
(storage cluster)[agent_kerberos]
:keytab
,ticket_cache
[ldap]
:search_password
config_encryption_active
to true in address.yaml in addition to
opscenterd.conf, you must supply the encrypted values for those fields.jmx_pass
cassandra_pass
monitored_cassandra_pass
ssl_keystore_password
(storage cluster)monitored_ssl_keystore_password
(monitored cluster)
cluster_name.conf
The location of the cluster_name.conf file depends on the type of installation:
- Package installations: /etc/opscenter/clusters/cluster_name.conf
- Tarball installations: install_location/conf/clusters/cluster_name.conf
opscenterd.conf
The location of the opscenterd.conf file depends on the type of installation:
- Package installations: /etc/opscenter/opscenterd.conf
- Tarball installations: install_location/conf/opscenterd.conf
address.yaml
The location of the address.yaml file depends on the type of installation:
- Package installations: /var/lib/datastax-agent/conf/address.yaml
- Tarball installations: install_location/conf/address.yaml