Heya,
I can see there is a way to encrypt data in the graph file via the GUI (e.g., database passwords), but we are creating a graph file outside of the GUI. Can you point me to any examples on Clover’s method for encrypting a string in Java code (so I can then put it into my graph)?
Thanks!
Anna
Took a little digging, but I thought I’d post the solution in case others have to create graphs programmatically.
1. Encrypt the password string using the org.jetel.util.crypto.Enigma class.
2. In the element, set the attribute passwordEncrypted to true.
3. When you run the graph, use the -pass option with the same seed used to encrypt the data.
Thats all…
Anna
Heya,
Hrm. We also have a password in our MySQL Bulk Loader node, but I do not see any attribute in that which is equivalent to passwordEncrypted. Is there a way to encrypt the password in a bulk loader node?
Thanks,
Anna
Hello Anna.
No, there is no way to encrypt passwords in bulk loaders. DB connection password encrypting is currently little bit deffered feature, without further advancement. This functionality should be in future handled only by Clover Server.
Please, consider to use classical parametrization by our graph parameters ${password}. And the password can be passed via command line
-P:password=<my_secret_password>
Is this solution acceptable for you?
Martin
Heya Martin,
Thank you for your reply.
We would rather not pass it on the command line because then it is visible when you view the processes on a LINUX/UNIX machine. We are OK with the encryption password being on the command line because we are randomly generating it and it is only good for a single graph.
I am a little concerned that you state that “this functionality should be in future handled only by Clover Server.” Which functionality are you referring to? Bulk loading or password encryption? We are using both connection and bulk loading in our application, but consider passwords in the clear to be a security issue. Are you planning to make password encryption a feature of Clover Server only?
Thanks,
Anna
Heya,
We’ll have to use the parameterization for now, but is there any furhter information on my question about encryption and the Clover Server? Is this somthing that will only be availabe in the commercial product?
Thanks,
Anna
If you want to hide the real password passed on command line, you can create one-line shell script, which just runs the graph with the secret password. And then just set the unix file permission so that nobody can read or write the script, however everyone can execute them. What about this solution?
Heya,
I will check with my team - I suspect they’d prefer parameterization rather than a clear password in a file on the server because at least the command line will disappear after the job is run. I know that only the user (or root) would have access to the file if the permissions are set properly, but security audits would probably ding us anyways.
I really appreciate your team’s suggestions - security is a pain to deal with sometimes. :mrgreen:
Thanks,
Anna