Encrypt sensitive configuration values
Configuration encryption provides privacy and increased security for sensitive configuration values, such as passwords.
To enable this feature you need to edit the following files:
-
opscenterd.conf: Located at/etc/opscenter/opscenterd.conffor package installations, and atINSTALL_DIRECTORY/conf/opscenterd.conffor tarball installations. -
cluster_name.conf: Located at/etc/opscenter/clusters/cluster_name.conffor package installations, and atINSTALL_DIRECTORY/conf/clusters/cluster_name.conffor tarball installations. -
address.yaml: Located at/var/lib/datastax-agent/conf/address.yamlfor package installations, and atINSTALL_DIRECTORY/conf/address.yamlfor tarball installations.
Activate configuration encryption for privacy and increased security for sensitive configuration values such as passwords. Sensitive configuration values entered within the OpsCenter user interface are encrypted dynamically, then transmitted and written in an encrypted state to the relevant configuration files.
Manually editing configuration files requires manually encrypting the value and copying it to the appropriate location. Use the OpsCenter system key tool to manually encrypt configuration values.
|
Credentials used to access existing destinations for scheduled backups must be encrypted manually.
For example, you must manually encrypt the |
System encryption key
The OpsCenter system key tool allows creating a key used for encryption on the opscenterd machine and all the nodes in a cluster. The system key tool resides in the /bin directory of opscenterd, such as /usr/share/opscenter/bin. Decrypting values is not supported.
| AES encryption modes (cipher algorithm) | Key strengths |
|---|---|
ECB |
128- or 256-bit |
CBC |
128- or 256-bit |
CFB |
128- or 256-bit |
OFB |
128- or 256-bit |
Using 256-bit key strength requires upgrading the JRE with enhanced security jar files.
Download and install the Java Cryptography Extension (JCE), unzip the jar files, and place them under $JAVA_HOME/jre/lib/security.
JCE-based products are restricted for export to certain countries by the U.S.
Export Administration Regulations.
Encrypted fields
When configuration encryption is active in OpsCenter, any sensitive configuration values in the OpsCenter UI that are required to be encrypted are encrypted automatically by OpsCenter. The majority of sensitive configuration values can only be changed by directly editing the appropriate configuration file with the manually-encrypted configuration value.
- cluster_name.conf fields that require encryption
-
-
[jmx]:password -
[cassandra]:password,ssl_keystore_password,ssl_truststore_password -
[storage_cassandra]:password,ssl_keystore_password,ssl_truststore_password -
[agents]:ssl_keystore_passwordandssl_truststore_password(monitored cluster),storage_ssl_keystore_password,storage_ssl_truststore_password(separate storage cluster) -
[agent_kerberos]:keytab,ticket_cache -
[backup_service]:s3_proxy_host,s3_proxy_port
-
- email.conf fields that require encryption
-
-
smtp_pass
-
This file is located in INSTALL_DIRECTORY/event-plugins/email.conf.
Encryption for the smtp_pass field must be manually enabled.
- opscenterd.conf fields that require encryption
-
-
[ldap]:search_password
-
- address.yaml fields that require encryption
-
DataStax Agent configuration fields in
address.yamlcan be optionally encrypted. OpsCenter provides the values fromopscenterd.confto the DataStax Agents when it connects.If you set the DataStax Agent configuration fields values in
address.yaml, and you setconfig_encryption_activetotruein bothaddress.yamlandopscenterd.conf, then you must supply the encrypted values for these fields.-
access_secret -
storage_key -
jmx_pass -
cassandra_pass -
monitored_cassandra_pass -
ssl_keystore_password(storage cluster) -
ssl_truststore_password(storage cluster) -
monitored_ssl_keystore_password(monitored cluster) -
monitored_ssl_truststore_password(monitored cluster)
-
