Creating a system key to encrypt sensitive configuration values
About this task
Follow these instructions to create the system key that enables automatically or manually encrypting sensitive configuration values such as passwords. Copy the system key to the agent for each node. Optionally, configure a custom name for the opsc_system_key or a path to the key when placed in a non-default location. When adjusting configuration files for an existing cluster, manually encrypt the configuration values.
address.yaml
The location of the address.yaml file depends on the type of installation:
-
Package installations: /var/lib/datastax-agent/conf/address.yaml
-
Tarball installations: install_location/conf/address.yaml
opscenterd.conf
The location of the opscenterd.conf file depends on the type of installation:
-
Package installations: /etc/opscenter/opscenterd.conf
-
Tarball installations: install_location/conf/opscenterd.conf
Prerequisites
-
If using 256-bit encryption key strength, upgrade the JRE with enhanced security jar files. Download and install the Java Cryptography Extension (JCE), unzip the jar files, and place them under
$JAVA_HOME/jre/lib/security
.
Procedure
-
In your opscenterd directory, run the system tool to create the key with the desired mode and key strength:
bin/opscenter_system_key_tool create ECB 128
By default, the system key is named opsc_system_key and is located in the same directory as your opscenterd.conf.
The name of the system key and the path to the encryption key are configurable in both opscenterd.conf and address.yaml. The options in address.yaml take precedence.
[security] # Specifies whether opscenter should attempt to decrypt sensitive config values config_encryption_active = True # Name of the system key used to encrypt/decrypt stored passwords. config_encryption_key_name = opsc_system_key # Path to the encryption key. If left blank, the directory of opscenterd.conf will be used config_encryption_key_path =
The only fields in address.yaml you might need to enter are
config_encryption_key_name
andconfig_encryption_key_path
if you are placing the keys in a location that is not standard on the agents. -
Manually copy the system key file to the agent for each node. The key file must reside in the same directory as the address.yaml for the agent.
cp local/opsc_system_key ../agent/local
-
Restart OpsCenter and the agents.