You are viewing the RapidMiner Server documentation for version 9.7 -Check here for latest version
Securing the passwords in standalone.xml
By default, the passwords instandalone.xml
, the JBoss configuration file located in theRapidMiner Server home directory, are saved as plaintext. To secure these passwords, you must take additional steps, described below.
The standard vault solution provided by JBoss encrypts passwords using a private key and stores them in a secure vault file. The vault tool can be found at the following location:
(Linux)/bin/vault.sh
(Windows)/bin/vault.bat
For additional information, see theJBoss documentationor theJBoss documentation for Windows.
Create a Java keystore
To encrypt the passwords, the first step is to create a Java keystore to store the encryption key. The key will then be used to encrypt the vault. We’ll use thekeytool
command located in your$ JAVA_HOME /本
folder. You can use the following command:
keytool-genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -keystore /root/securefolder/vault.jks -storepass rapidminer -keypass rapidminer -dname "CN=MyName, OU=MyTeam, O=MyOrganization, L=MyLocation, ST=MyCity, C=US"
Please note that:
- the
storetype
should be "jceks". - the
keystore
, set to/root/securefolder/vault.jks
in the example above, is any file name in a path that is accessible to the user running RapidMiner Server. storepass
andkeypass
must be the same, because the vault tool requires it.- the
keysize
should be 128 bits if the Java Cryptography Extension (JCE) is not installed. Alternatively, you can install the JCE and use 256 bits. alias
is an arbitrary word, set to "vault" in the example. It identifies the private key entry in the keystore that is used for the encryption.- the
dname
parameter contains organizational data like name, location, city, country, etc.
Use the Vault Tool scripts to store a password in the vault
Once we have the private key, we can create the vault (the encrypted password database) using the command line tool (vault.sh
orvault.bat
). The execution is interactive and it will request the location of the keystore (the path/root/securefolder/vault.jks
在上面的示例中),别名(在我们的e“金库”xample), its password, and a folder where the vault file will be stored. After providing this data, you can manage the passwords.
It’s also possible to create the vault and add a password in a non-interactive way:
bin/vault.sh -k /root/securefolder/vault.jks -p passwordForTheVault -e /root/securefolder -i 50 -s 12345678 -v vault -b blockName -a attributeName -x thisIsThePassword
The -s parameter is a “salt” (a seed) needed for the encryption and -v is the alias. The block and the attribute will later identify your password.
During the creation of the vault, you will get configuration fragments like this:
Please take note of the following:
Masked Password: MASK-1v6/ARucwcWaCt1l2FkYSH salt:12345678 Iteration Count:50
and this:
Please take note of the following:
Vault Block:blockName Attribute Name:mysql Shared Key:N2NhZDYzOTMtNWE0OS00ZGQ0L Configuration should be done as follows: VAULT::blockName::mysql::N2NhZDYzOTMtNWE0OS00ZGQ0L
Copy the output to the standalone.xml file
The output should be copied into thestandalone.xml
configuration file (
) in the following way:
Every time a password is required instandalone.xml
, you should replace it by a token such as the one that appears above, as follows: