Contents
This topic describes how to encipher passwords and the value of certain name-value pairs in the StreamBase Server configuration file so that they do not appear as clear text in the file.
To connect a StreamBase application to a supported database, you must provide a HOCON configuration file of type type javaengine. In these files, you usually must provide a full JDBC connection string, including the username and password of user authorized to access the database.
This leaves the database login name and password visible in clear text in the configuration file, readable by anyone with access to the file. You can instead encipher the name and password with the sbcipher command, and then insert the enciphered version of the name and password in the configuration file.
The following shows partial example configuration entry for access to a Microsoft SQL Server database. (The full example is on JDBC Data Source Overview.)
...
configuration = {
"JDBCDataSource" = {
driverClassName = "com.microsoft.sqlserver.jdbc.SQLServerDriver"
serverURL = "jdbc:sqlserver://mssql2012.lab.streambase.com\\DBname"
userName = "sqluser"
password = "Secr3t1ve"
operationTimeoutMilliseconds = 200000
...To preserve the privacy of this information, you can encipher the login name and password, using sbcipher commands at a StreamBase-configured shell prompt for macOS and Linux, or the StreamBase Command Prompt on Windows.
For example, first encipher the username:
sbcipher -c sqluser
This command returns:
jbWZzLOJupC1qI7T9d7VRLbXH5RwMJauuQinFLq5jKbhsZB0qUzueF5YS5 eQLdfiN2uc3SEeXlyS3A9umPwGxA
(The enciphered strings returned are shown in these examples with line breaks inserted for publication clarity. The string returned is actually a single unbroken string.)
Now, encipher the password:
sbcipher -c Secr3t1ve
This command returns:
aSCxFiNjVZ4CbcssDUU9QS345DXyn393GX+lp0JH7EN12T02fgz672/91 ItbTYMK4A0t12CJNPfvK3EEVt/r+Q==
Note
To use these values in a HOCON configuration file, you must prefix the enciphered string with #! as shown below.
Now, edit the configuration file to add the enciphered attribute, and to specify the enciphered strings returned to standard output by the sbcipher command. For example:
...
configuration = {
"JDBCDataSource" = {
driverClassName = "com.microsoft.sqlserver.jdbc.SQLServerDriver"
serverURL = "jdbc:sqlserver://mssql2012.lab.streambase.com\\DBname"
userName = "#!jbWZzLOJupC1qI7T9d7VRLbXH5RwMJauuQinFLq5jKbhsZB0qUzueF5YS5
eQLdfiN2uc3SEeXlyS3A9umPwGxA"
password = "#!aSCxFiNjVZ4CbcssDUU9QS345DXyn393GX+lp0JH7EN12T02fgz672/91
ItbTYMK4A0t12CJNPfvK3EEVt/r+Q=="
operationTimeoutMilliseconds = 200000
...The following shows one line from a configuration file for a MySQL database. In this case, the database login name and password are embedded in the JDBC connection string, not in separate lines:
serverURL = "jdbc:mysql://mysql.example.com:3306/qa?user=nonnymouse&password=secret"For databases like MySQL that embed the user name and password in the connection string, you must encipher the entire URI value with steps like the following:
-
First rewrite the connection string without XML entities or URL encoding. For example, the
&between the user and password entries in the example above is necessary in the context of the server configuration file's XML, but is unnecessary and incorrect in the context of an enciphered connection string. Changing the&to&, the connection string becomes:serverURL = "jdbc:mysql://mysql.example.com:3306/qa?user=nonnymouse&password=secret"
-
Now pass this converted string to sbcipher –c. Use quotes around the URI to escape the shell's interpretation of the question mark and ampersand in the URI string. For example:
sbcipher -c "jdbc:mysql://mysql.example.com:3306/qa?user=nonnymouse&password=secret"
-
This command returns:
i0pQ4FS0lrO5svtsGDPmJjqvBZ1xpZRHmozmD5EmKXWM25lR/m8p9t WsLoXiC4BDvabsM3xfRLWsjdonC9dy3sd3i1EUwAq2rJZBNZ6dmg3xAyTYAOKUk1KMXH QIH+1nJYkwKajo1adTqxRUHLjF9i2jKCRgzT6dG1CAx7zGfwo00ynGccYzRUVwgRav/AF /2sIvSVqeLkPow28ve7mwFHR/Q/Al7Bgzrr0bQ/ZdlwJ+4Qx2ibU0Mx1lxXQpiS3Gj4U30 EddAssTejs3afHSN0zJdDGZVprSe/DAQrI1Wman4QQIoOg/czFtpHicJa2ysZX3HDbele /dC8sj+Ly3MFWDi/tOUbNvFLhOQxS5RBGTtcb1SFJBZfq7lf/DbUu2QvX/4EzQCO5q7iC Z2hOsDivwuiV4R9Akzv68E5LQFA9qnc3weWb+TmsR4iAUaijECohUguAGBy4H/LxGTUM Lir0Tek90Zcea73q5zzmJl204L760XhWu7TPwi8qZvkqxVTcb73qLQQGEqynL+sLtmV/ aOfGGqZfaOPA0ZeVg3JEGPqOxB+r2LkbN//zBGqw60JfCRqTMmBe4d62qt+VUzhDNV 3rovjbz5eif4q22leD6gnxdaOr9l/ADlysmuFJEZ7qHqeVt9j5LxFZNYTiHrdBYh1DG Le9P1RvUv2noMik=
-
Now, edit the configuration file as before to add the
encipheredattribute, and to specify the enciphered string returned from sbcipher, prefixing the string as before with#!.serverURL = "#!i0pQ4FS0lrO5svtsGDPmJjqvBZ1xpZRHmozmD5EmKXWM25lR/m8p9t WsLoXiC4BDvabsM3xfRLWsjdonC9dy3sd3i1EUwAq2rJZBNZ6dmg3xAyTYAOKUk1KMXH QIH+1nJYkwKajo1adTqxRUHLjF9i2jKCRgzT6dG1CAx7zGfwo00ynGccYzRUVwgRav/AF /2sIvSVqeLkPow28ve7mwFHR/Q/Al7Bgzrr0bQ/ZdlwJ+4Qx2ibU0Mx1lxXQpiS3Gj4U30 EddAssTejs3afHSN0zJdDGZVprSe/DAQrI1Wman4QQIoOg/czFtpHicJa2ysZX3HDbele /dC8sj+Ly3MFWDi/tOUbNvFLhOQxS5RBGTtcb1SFJBZfq7lf/DbUu2QvX/4EzQCO5q7iC Z2hOsDivwuiV4R9Akzv68E5LQFA9qnc3weWb+TmsR4iAUaijECohUguAGBy4H/LxGTUM Lir0Tek90Zcea73q5zzmJl204L760XhWu7TPwi8qZvkqxVTcb73qLQQGEqynL+sLtmV/ aOfGGqZfaOPA0ZeVg3JEGPqOxB+r2LkbN//zBGqw60JfCRqTMmBe4d62qt+VUzhDNV 3rovjbz5eif4q22leD6gnxdaOr9l/ADlysmuFJEZ7qHqeVt9j5LxFZNYTiHrdBYh1DG Le9P1RvUv2noMik=
StreamBase deciphers enciphered values using an industry-standard client key plus server key system. The examples in the previous section work as shown because the sbcipher command contains an embedded client key, and the server mechanism in EventFlow fragment contains an embedded server key. These embedded keys are stored in clear text in their respective commands, and are the same for all StreamBase installations. The embedded keys are not password protected.
There are actually two sets of embedded key pairs. One pair has a modulus length of 512 bits, while the other pair has 4096 bits. When your sbcipher command requests encipherment of a text string of less than 50 characters, the 512 bit key pair is used. When enciphering longer strings, the 4096 bit key pair is used.
The keys are stored in the /etc folder of your StreamBase installation.
You are not restricted to enciphered userName, password, and JDBC connection string values. Any string value in a HOCON configuration file can be enciphered.
As described above, the key pair embedded in the sbcipher command and in the StreamBase server mechanism is the same for all StreamBase installations as shipped, and is not password-protected. You can instead ask sbcipher to generate your own site-specific pair of keys. You cannot use keys generated with another encipherment technology; only keys generated with sbcipher are understood by the StreamBase server.
To generate a key pair, use sbcipher's -g option, and specify a file name to serve as the base name for the generated keys. You can specify a path to the file base
name, as shown in the following examples:
sbcipher -g myCompanyKey sbcipher -g /home/sbapps/myKey (UNIX path) sbcipher -g c:\sbapps\cipherKey (Windows path)
Generated keys have a bit size of 512 by default. You can optionally specify a longer bit size by adding the -s option with an argument of 512, 1024, 2048, or 4096. For example:
sbcipher -g myCompanyKey -s 2048
The sbcipher -g command generates one client and one server key, named basename.sbcipherbasename.server
myCompanyKey.sbcipher
myCompanyKey.server
Specify the generated client key with the -k option when enciphering strings with -c. For example:
sbcipher -c "orauser" -k myCompanyKey.sbcipher
This generates an enciphered value that can only be unlocked with the corresponding server key generated at the same time. The next section describes how to tell the StreamBase server and StreamBase Studio to use the server key.
If you have generated a client-server key pair as described in the previous section, you must configure both StreamBase Server and StreamBase Studio to use your server key when deciphering enciphered values encountered in the configuration file.
To use your generated server key in place of the embedded server key to decipher all enciphered values, specify the path to
your server key file with the streambase.security.key-file system property. Use the systemProperties object in a configuration file of type sbengine, in the root object StreamBaseEngin:
...
StreamBaseEngine = {
systemProperties = {
"streambase.security.key-file" = "/path/to/myCompanyKey.server"
...When you specify one server key file, you override and disable the default embedded server key. You can preserve the embedded server key while also using a generated server key as described below.
You can specify a comma-separated list of server keys. In this case, when the StreamBase server encounters an enciphered value in the configuration file, it tries to decipher using each server key in the order listed. For example:
...
StreamBaseEngine = {
systemProperties = {
"streambase.security.key-file" = "myCompanyKey.server,cipherKey.server"
...This feature allows you to encipher different portions of the configuration file for different purposes. For example, your site's database administrators may prefer to keep private a particular database's login name and password. You can provide them with the sbcipher command so they can encipher those values and return to you only the enciphered strings, plus a pair of client and server key files.
When you specify one or more server key files with the streambase.security.key-file system property, you disable the embedded server key described in Enciphering with the Embedded Key Pair. However, there is a way to continue using the embedded keys for some purposes, but use a generated server key for other
purposes.
Two files containing the embedded server keys are delivered with your StreamBase installation. Locate these files in the /etc folder of your StreamBase installation with the following names:
streambase-embeddedkey-512.server
streambase-embeddedkey-4096.server
You can specify one or both of these server key files in your list of server keys in the streambase.security.key-file system property. For example:
...
StreamBaseEngine = {
systemProperties = {
"streambase.security.key-file" = "/path/to/myCompanyKey.server,
${STREAMBASE_HOME}/etc/streambase-embeddedkey-512.server"
...Assuming the server's environment has the STREAMBASE_HOME variable set, this directive says to decipher enciphered values using the myCompanyKey.server key first, then try using the default embedded 512-bit key.
StreamBase Studio needs to decipher enciphered values under two circumstances:
-
When it attempts to typecheck an operator that uses enciphered values. For example, a JDBC Query operator might use enciphered name and password values when connecting to a JDBC data source.
-
When it attempts to run or debug an application, either locally or remotely.
If the configuration file has values enciphered with the default embedded keys, then Studio can successfully typecheck operators, and can successfully launch and run applications normally.
However, if the configuration file has values enciphered with custom generated keys, Studio must know where to locate the
server key or keys used when enciphering the values. Specify the location of custom generated server keys to Studio using
the streambase.security.key-file system property specified as part of the STREAMBASE_STUDIO_VMARGS environment variable. You must set the value in this environment variable before starting Studio.
Set this variable as described in STREAMBASE_STUDIO_VMARGS. When adding the streambase.security.key-file system property, remember to re-specify the default -Xms and -Xmx arguments, as shown in the following example:
STREAMBASE_STUDIO_VMARGS=-Xms256M -Xmx768M \
-Dstreambase.security.key-file=/path/to/myCompanyKey.serverKeep in mind the following points when using the encipherment feature:
-
The StreamBase server is not a secure environment. The encipherment feature described on this page does not provide strong encryption of passwords and parameter values. On startup, the StreamBase server deciphers any enciphered values it encounters in the configuration file, and thereafter stores and uses the deciphered plain text version of these values in internal buffers.
-
The value of the default embedded server keys is readily available in the
.serverfiles in the installation's/etcfolder, as well as in the JAR files that implement the sbcipher command. -
When reporting connection errors to the console or error logs, the server often includes details about the connection it attempted. Those error messages may include the deciphered plain text value of usernames, passwords, and other enciphered parameter values.
-
If the server fails to decipher any enciphered value, it continues to load and run, and reports the error on the console. The decipher failure message includes the still-enciphered value string, plus information to identify the value it was attempting to decipher.
-
If the server fails to decipher an enciphered value that is part of a JDBC configuration specification, then the server still attempts to connect to the database, using the enciphered values for name and password instead of the correct deciphered values. As expected, this results in login failure messages returned from the database.
-
The Feed Simulation Editor in Studio allows you to specify a JDBC database as the source of simulated input stream values. The encipherment feature is not supported with feed simulation data source connections.
-
Deciphering enciphered values is only supported for values in the server configuration file, and not for the separate configuration files used by some StreamBase adapters. However, if you can specify the name and password for an adapter's connection by means of operator parameters, then you can encipher those values, as discussed in Using Enciphered Values in Configuration Files.