Creating a system key to encrypt sensitive configuration values
Create the system key that enables automatically or manually encrypting sensitive configuration values such as passwords. Copy the system key to the agent for each node.
Follow these instructions to create the system key that enables automatically or manually encrypting sensitive configuration values such as passwords. Copy the system key to the agent for each node. Optionally, configure a custom name for the opsc_system_key or a path to the key when placed in a non-default location. When adjusting configuration files for an existing cluster, manually encrypt the configuration values.
address.yaml
The location of the address.yaml file depends on the type of installation:- Package installations: /var/lib/datastax-agent/conf/address.yaml
- Tarball installations: install_location/conf/address.yaml
opscenterd.conf
The location of the opscenterd.conf file depends on the type of installation:- Package installations: /etc/opscenter/opscenterd.conf
- Tarball installations: install_location/conf/opscenterd.conf
Prerequisites
- If using 256-bit encryption key strength, upgrade the JRE with enhanced security
jar files. Download and install the Java Cryptography Extension (JCE), unzip the
jar files, and place them under
$JAVA_HOME/jre/lib/security
.
Procedure
-
In your opscenterd directory, run the system tool to create the key with the
desired mode and key strength:
- For package installations, run the system tool with sudo.
bin/opscenter_system_key_tool sudo create ECB 128
- For tarball installations, run the system tool without sudo.
bin/opscenter_system_key_tool create ECB 128
By default, the system key is named opsc_system_key and is located in the same directory as your opscenterd.conf.The name of the system key and the path to the encryption key are configurable in both opscenterd.conf and address.yaml. The options in address.yaml take precedence.[security] config_encryption_active = True config_encryption_key_name = opsc_system_key config_encryption_key_path =
The only fields in address.yaml you might need to enter areconfig_encryption_key_name
andconfig_encryption_key_path
if you are placing the keys in a location that is not standard on the agents.- [security] config_encryption_active
- Specifies whether opscenter should attempt to decrypt sensitive config values.
- [security] config_encryption_key_name
- Name of the system key used to encrypt/decrypt stored passwords.
- [security] config_encryption_key_path
- Path to the encryption key.
- For package installations, run the system tool with sudo.
-
For any package installation, change the permissions for the new key to opscenter.
sudo chown opscenter:opscenter /etc/opscenter/opsc_system_key
-
Manually copy the system key file to the agent for each node. The key file must
reside in the same directory as the address.yaml for the
agent.
- For package installations, install the agent in ../etc/datastax-agent/.
cp local/opsc_system_key ../etc/datastax-agent/
- For tarball installations, install the agent in ../agent/local.
cp local/opsc_system_key ../agent/local
- For package installations, install the agent in ../etc/datastax-agent/.
- Stop OpsCenter and stop the agents.
- Restart OpsCenter and the agents.