Creating a system key to encrypt sensitive configuration values

Create the system key that enables automatically or manually encrypting sensitive configuration values such as passwords. Copy the system key to the agent for each node.

Follow these instructions to create the system key that enables automatically or manually encrypting sensitive configuration values such as passwords. Copy the system key to the agent for each node. Optionally, configure a custom name for the opsc_system_key or a path to the key when placed in a non-default location. When adjusting configuration files for an existing cluster, manually encrypt the configuration values.

address.yaml

The location of the address.yaml file depends on the type of installation:
  • Package installations: /var/lib/datastax-agent/conf/address.yaml
  • Tarball installations: install_location/conf/address.yaml

opscenterd.conf

The location of the opscenterd.conf file depends on the type of installation:
  • Package installations: /etc/opscenter/opscenterd.conf
  • Tarball installations: install_location/conf/opscenterd.conf

Prerequisites

  • If using 256-bit encryption key strength, upgrade the JRE with enhanced security jar files. Download and install the Java Cryptography Extension (JCE), unzip the jar files, and place them under $JAVA_HOME/jre/lib/security.

Procedure

  1. In your opscenterd directory, run the system tool to create the key with the desired mode and key strength:
    • For package installations, run the system tool with sudo.
      bin/opscenter_system_key_tool sudo create ECB 128
    • For tarball installations, run the system tool without sudo.
      bin/opscenter_system_key_tool create ECB 128
    By default, the system key is named opsc_system_key and is located in the same directory as your opscenterd.conf.
    The name of the system key and the path to the encryption key are configurable in both opscenterd.conf and address.yaml. The options in address.yaml take precedence.
    [security]
    config_encryption_active = True
    config_encryption_key_name = opsc_system_key
    config_encryption_key_path =
    The only fields in address.yaml you might need to enter are config_encryption_key_name and config_encryption_key_path if you are placing the keys in a location that is not standard on the agents.
    [security] config_encryption_active
    Specifies whether opscenter should attempt to decrypt sensitive config values.
    [security] config_encryption_key_name
    Name of the system key used to encrypt/decrypt stored passwords.
    [security] config_encryption_key_path
    Path to the encryption key.
    If left blank, the directory of opscenterd.conf will be used.
  2. For any package installation, change the permissions for the new key to opscenter.
    sudo chown opscenter:opscenter /etc/opscenter/opsc_system_key
  3. Manually copy the system key file to the agent for each node. The key file must reside in the same directory as the address.yaml for the agent.
    • For package installations, install the agent in ../etc/datastax-agent/.
      cp local/opsc_system_key ../etc/datastax-agent/
    • For tarball installations, install the agent in ../agent/local.
      cp local/opsc_system_key ../agent/local
  4. Stop OpsCenter and stop the agents.
  5. Restart OpsCenter and the agents.