Encoding Configuration Properties

Owned by Odysseas Pentakalos
Jul 04, 2018
2 min read

Encoding Configuration Properties

Starting with version 3.5.1 of OpenEMPI, you can now encode sensitive configuration properties (such as passwords) in the property files for security reasons. To use this feature, you must encode the properties using the encoding utility that is included in the release and replace the plain text properties in the configuration file with their encoded counterparts. You must also modify the configuration of the OpenEMPI startup process by providing it the password that it should use for decoding the properties at startup.

We illustrate the process with an example where the password for connecting to the database using JDBC is encoded. The password is stored in the jdbc.properties file in the conf directory of the OpenEMPI installation. Before the property is encoded the section of the file that will be modified looks like the excerpt below.

jdbc.driverClassName=org.postgresql.Driver
jdbc.url=jdbc\:postgresql\://localhost/openempi
jdbc.username=openempi
jdbc.password=openempi

To encode the password parameter, we must use the propertyEncoder.sh (propertyEncoder.bat for Windows) utility located in the bin directory of the OpenEMPI installation. If you run the utility without any parameters, it will print out information about the parameters available.

Property Encoder takes the following options:
  -h or -help = Displays the help screen
  -c or -command <command> = Command can be encrypt or decrypt
  -p or -password <password> = Password to use
  -i or -input <input> = Text to encrypt or decrypt

To encode the password which has the plain text value of 'openempi', we use the following invocation shown below. The encoding password used is 'password' for illustration purposes but you must definitely not use that as your encoding password in an actual instance of OpenEMPI.

 $ bin/propertyEncoder.sh -c encrypt -p password -i openempi
Encrypted text: R/p+0UVsaD11ReBVrTr2/5C4q8MSY1tx
Ready to use text:  ENC(R/p+0UVsaD11ReBVrTr2/5C4q8MSY1tx)
$ bin/propertyEncoder.sh -c decrypt -p password -i R/p+0UVsaD11ReBVrTr2/5C4q8MSY1tx
Decrypted text: openempi

You can now replace the plain text JDBC password in the configuration file with the encoded version generated by the utility.

jdbc.driverClassName=org.postgresql.Driver
jdbc.url=jdbc\:postgresql\://localhost/openempi
jdbc.username=openempi
jdbc.password=ENC(R/p+0UVsaD11ReBVrTr2/5C4q8MSY1tx)

The last step is completing the configuration process for encoded properties, is to tell OpenEMPI what password it should use for decoding encoded properties at startup. To do that you must modify the setenv.sh (setenv.bat file in Windows) to specify the encoding password.

-Dopenempi.decoding.password=password

After starting the OpenEMPI it should automatically decode and use the decoded passwords.