Creating a system key to encrypt sensitive configuration values

Create the system key that enables automatically or manually encrypting sensitive configuration values such as passwords. Copy the system key to the agent for each node.

Follow these instructions to create the system key that enables automatically or manually encrypting sensitive configuration values such as passwords. Copy the system key to the agent for each node. Optionally, configure a custom name for the opsc_system_key or a path to the key when placed in a non-default location. When adjusting configuration files for an existing cluster, manually encrypt the configuration values.

opscenterd.conf

The location of the opscenterd.conf file depends on the type of installation:
  • Package installations: /etc/opscenter/opscenterd.conf
  • Tarball installations: install_location/conf/opscenterd.conf

address.yaml

The location of the address.yaml file depends on the type of installation:
  • Package installations: /var/lib/datastax-agent/conf/address.yaml
  • Tarball installations: install_location/conf/address.yaml

Prerequisites

  • If using 256-bit encryption key strength, upgrade the JRE with enhanced security jar files. Download and install the Java Cryptography Extension (JCE), unzip the jar files, and place them under $JAVA_HOME/jre/lib/security.

Procedure

  1. In your opscenterd directory, run the system tool to create the key with the desired mode and key strength:
    bin/opscenter_system_key_tool create ECB 128
    By default, the system key is named opsc_system_key and is located in the same directory as your opscenterd.conf.
    The name of the system key and the path to the encryption key are configurable in both opscenterd.conf and address.yaml. The options in address.yaml take precedence.
    [security]
    # Specifies whether opscenter should attempt to decrypt sensitive config values
    config_encryption_active = True
    # Name of the system key used to encrypt/decrypt stored passwords.
    config_encryption_key_name = opsc_system_key
    # Path to the encryption key. If left blank, the directory of opscenterd.conf will be used
    config_encryption_key_path =
    

    The only fields in address.yaml you might need to enter are config_encryption_key_name and config_encryption_key_path if you are placing the keys in a location that is not standard on the agents.

  2. Manually copy the system key file to the agent for each node. The key file must reside in the same directory as the address.yaml for the agent.
    cp local/opsc_system_key ../agent/local
  3. Stop OpsCenter and stop the agents.
  4. Restart OpsCenter and the agents.