Categories

Versions

You are viewing the RapidMiner Server documentation for version 9.7 -Check here for latest version

Securing the passwords in standalone.xml

By default, the passwords instandalone.xml, the JBoss configuration file located in theRapidMiner Server home directory, are saved as plaintext. To secure these passwords, you must take additional steps, described below.

The standard vault solution provided by JBoss encrypts passwords using a private key and stores them in a secure vault file. The vault tool can be found at the following location:

  • /bin/vault.sh(Linux)
  • /bin/vault.bat(Windows)

For additional information, see theJBoss documentationor theJBoss documentation for Windows.

Create a Java keystore

To encrypt the passwords, the first step is to create a Java keystore to store the encryption key. The key will then be used to encrypt the vault. We’ll use thekeytoolcommand located in your$ JAVA_HOME /本folder. You can use the following command:

keytool-genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -keystore /root/securefolder/vault.jks -storepass rapidminer -keypass rapidminer -dname "CN=MyName, OU=MyTeam, O=MyOrganization, L=MyLocation, ST=MyCity, C=US"

Please note that:

  • thestoretypeshould be "jceks".
  • thekeystore, set to/root/securefolder/vault.jksin the example above, is any file name in a path that is accessible to the user running RapidMiner Server.
  • storepassandkeypassmust be the same, because the vault tool requires it.
  • thekeysizeshould be 128 bits if the Java Cryptography Extension (JCE) is not installed. Alternatively, you can install the JCE and use 256 bits.
  • aliasis an arbitrary word, set to "vault" in the example. It identifies the private key entry in the keystore that is used for the encryption.
  • thednameparameter contains organizational data like name, location, city, country, etc.

Use the Vault Tool scripts to store a password in the vault

Once we have the private key, we can create the vault (the encrypted password database) using the command line tool (vault.shorvault.bat). The execution is interactive and it will request the location of the keystore (the path/root/securefolder/vault.jks在上面的示例中),别名(在我们的e“金库”xample), its password, and a folder where the vault file will be stored. After providing this data, you can manage the passwords.

It’s also possible to create the vault and add a password in a non-interactive way:

bin/vault.sh -k /root/securefolder/vault.jks -p passwordForTheVault -e /root/securefolder -i 50 -s 12345678 -v vault -b blockName -a attributeName -x thisIsThePassword

The -s parameter is a “salt” (a seed) needed for the encryption and -v is the alias. The block and the attribute will later identify your password.

During the creation of the vault, you will get configuration fragments like this:

Please take note of the following:

Masked Password: MASK-1v6/ARucwcWaCt1l2FkYSH salt:12345678 Iteration Count:50

and this:

Please take note of the following:

Vault Block:blockName Attribute Name:mysql Shared Key:N2NhZDYzOTMtNWE0OS00ZGQ0L Configuration should be done as follows: VAULT::blockName::mysql::N2NhZDYzOTMtNWE0OS00ZGQ0L

Copy the output to the standalone.xml file

The output should be copied into thestandalone.xmlconfiguration file (/configuration/standalone.xml) in the following way:

...          ...

Every time a password is required instandalone.xml, you should replace it by a token such as the one that appears above, as follows:

${VAULT::blockName::mysql::N2NhZDYzOTMtNWE0OS00ZGQ0L}