Gluent Data Platform Environment File Passwords

Introduction

Password Tool is used to encrypt passwords held in Gluent Data Platform configuration files. It is invoked using the pass_tool binary located in the $OFFLOAD_HOME/bin directory and performs two actions:

  1. Create a Password Key File

  2. Create an Encrypted Version of a Password

Create a Password Key File

To encrypt passwords in the configuration file, a password key file must first be populated with an encryption key. When creating the key file, the user is prompted to provide a passphrase. The passphrase is case-sensitive and is not stored by pass_tool.

The following example demonstrates how to create a password key file using the --keygen and --keyfile options.

$ $OFFLOAD_HOME/bin/pass_tool --keygen --keyfile=$OFFLOAD_HOME/conf/gluent_secret.key
Enter passphrase to generate key:
Verifying - Enter passphrase to generate key:
Created key file /u01/app/gluent/offload/conf/gluent_secret.key

Note

The password key file is protected by operating system file permissions. Care should be taken to protect this file and its permissions. It is recommended that the password key file and Offload configuration file are not backed up to the same backup media.

Create an Encrypted Version of a Password

Password Tool is used to generate an encrypted version of a password for use in a Gluent Data Platform configuration file. Before encrypting a password, a password key file must first be created as shown in Example 6 above. Password Tool prompts for a clear-text, case-sensitive password as input and produces an encrypted password string as output.

The following example demonstrates how to generate an encrypted version of a password using the --encrypt option of pass_tool:

$ $OFFLOAD_HOME/bin/pass_tool --encrypt --keyfile=$OFFLOAD_HOME/conf/gluent_secret.key
Enter password to be encrypted:
Verifying - Enter password to be encrypted:
Encrypted password: Xzc62DK/EfdklSa5UxY0TA==
Use the encrypted password in offload.env
It is also required to add the following to offload.env:
export PASSWORD_KEY_FILE=/u01/app/gluent/offload/conf/gluent_secret.key

The corresponding value in the configuration file should be replaced with the encrypted string and the PASSWORD_KEY_FILE should be added (if not already present).

Update Gluent Environment File

The following example demonstrates the relevant entries in the Gluent Data Platform configuration file before and after encryption.

Initial settings before encryption:

export HIVE_SERVER_PASS='A_s3cr3t'
export ORA_APP_PASS='An0th3r_s3cr3t'
export ORA_ADM_PASS='M0r3_s3cr3ts'
export DATAD_WEB_PASS='B_s3cr3t'
export SNOWFLAKE_PASS='C_s3cr3t'

Configuration settings after encryption:

export HIVE_SERVER_PASS='nw5tB2msQmQxliTN9xCokQ=='
export ORA_APP_PASS='VeeJ9r8MYucEQssqz/IsNw=='
export ORA_ADM_PASS='dC+YZpwK4ssHMOw3rcB73Q=='
export DATAD_WEB_PASS='TN9Ow3rcucEQssB2mK4s3r=='
export SNOWFLAKE_PASS='pwK4ssw5txliTN9/r8MYuZ=='
export PASSWORD_KEY_FILE=/u01/app/gluent/offload/conf/gluent_secret.key

This technique applies to all password values supplied via the configuration items listed below:

It is not supported to mix encrypted and unencrypted values, if PASSWORD_KEY_FILE is specified then all password values are expected to be encrypted strings.

Important

Any changes made to the Gluent Data Platform environment file (offload.env) must be propagated across all installations.

Documentation Feedback

Send feedback on this documentation to: feedback@gluent.com