Gluent Data Platform Environment File Passwords¶
Table of Contents
Introduction¶
Password Tool is used to encrypt passwords held in Gluent Data Platform configuration files. It is invoked using the pass_tool
binary located in the $OFFLOAD_HOME/bin
directory and performs two actions:
Create a Password Key File¶
To encrypt passwords in the configuration file, a password key file must first be populated with an encryption key. When creating the key file, the user is prompted to provide a passphrase. The passphrase is case-sensitive and is not stored by pass_tool
.
The following example demonstrates how to create a password key file using the --keygen
and --keyfile
options.
$ $OFFLOAD_HOME/bin/pass_tool --keygen --keyfile=$OFFLOAD_HOME/conf/gluent_secret.key
Enter passphrase to generate key:
Verifying - Enter passphrase to generate key:
Created key file /u01/app/gluent/offload/conf/gluent_secret.key
Note
The password key file is protected by operating system file permissions. Care should be taken to protect this file and its permissions. It is recommended that the password key file and Offload configuration file are not backed up to the same backup media.
Create an Encrypted Version of a Password¶
Password Tool is used to generate an encrypted version of a password for use in a Gluent Data Platform configuration file. Before encrypting a password, a password key file must first be created as shown in Example 6 above. Password Tool prompts for a clear-text, case-sensitive password as input and produces an encrypted password string as output.
The following example demonstrates how to generate an encrypted version of a password using the --encrypt
option of pass_tool
:
$ $OFFLOAD_HOME/bin/pass_tool --encrypt --keyfile=$OFFLOAD_HOME/conf/gluent_secret.key
Enter password to be encrypted:
Verifying - Enter password to be encrypted:
Encrypted password: Xzc62DK/EfdklSa5UxY0TA==
Use the encrypted password in offload.env
It is also required to add the following to offload.env:
export PASSWORD_KEY_FILE=/u01/app/gluent/offload/conf/gluent_secret.key
The corresponding value in the configuration file should be replaced with the encrypted string and the PASSWORD_KEY_FILE
should be added (if not already present).
Update Gluent Environment File¶
The following example demonstrates the relevant entries in the Gluent Data Platform configuration file before and after encryption.
Initial settings before encryption:
export HIVE_SERVER_PASS='A_s3cr3t'
export ORA_APP_PASS='An0th3r_s3cr3t'
export ORA_ADM_PASS='M0r3_s3cr3ts'
export DATAD_WEB_PASS='B_s3cr3t'
export SNOWFLAKE_PASS='C_s3cr3t'
Configuration settings after encryption:
export HIVE_SERVER_PASS='nw5tB2msQmQxliTN9xCokQ=='
export ORA_APP_PASS='VeeJ9r8MYucEQssqz/IsNw=='
export ORA_ADM_PASS='dC+YZpwK4ssHMOw3rcB73Q=='
export DATAD_WEB_PASS='TN9Ow3rcucEQssB2mK4s3r=='
export SNOWFLAKE_PASS='pwK4ssw5txliTN9/r8MYuZ=='
export PASSWORD_KEY_FILE=/u01/app/gluent/offload/conf/gluent_secret.key
This technique applies to all password values supplied via the configuration items listed below:
It is not supported to mix encrypted and unencrypted values, if PASSWORD_KEY_FILE
is specified then all password values are expected to be encrypted strings.
Important
Any changes made to the Gluent Data Platform environment file (offload.env
) must be propagated across all installations.