8.11.5 Using Passwords in External Reference
In the Database profile and for several different agents, you can use passwords from External Reference profiles.
The password values must be represented by a string that has been encrypted with the mzsh encryptpassword
command.
When using the mzsh encryptpassword
command you can use keys that have been generated using the Java standard tool keytool
. The keys to be used are determined using aliases, and if no alias is used, the default key is used for the encryption. See the JDK product documentation for further information about using keytool
in different scenarios.
Note!
You have to use the storetype JCEKS.
If aliases are to be used, the full path and password to the keystore has to be indicated by including the Platform properties mz.cryptoservice.keystore.path
and mz.cryptoservice.keystore.password
in the Platform instance. See 2.6 System Properties in the System Administration Guide for further information about these properties. The keystore must also contain keys for all the aliases you want to use.
Note!
The same keytool can be used for generating keys for RCP encryption. However, these keys are of a different type and cannot be used for External References.
Example - Encrypting passwords with crypto service keystore keys
This is an example of how passwords can be encrypted with crypto service keystore keys:
Create a security key with the keytool:
keytool -genseckey -alias myAlias -keyalg AES -keystore myKeystore.jks -keysize 128 -storepass myKeystorePassword -storetype JCEKS.
Note!
If you enter a
-keysize
that is larger than 128, you may get a message saying that JCE Unlimited Strength Jurisdiction Policy Files needs to be installed. See the Oracle product documentation for further information about this.The
-storepass
flag is optional. If you do not enter a-storepass
you will be prompted for a password.-storetype
JCEKS is mandatory.You will be prompted if you want to use the same password for the key as for the keystore and requires that the same password is used.
Place the keystore in a suitable directory.
Encrypt the password to the keystore using the
mzsh encryptpassword
command with the default key:mzsh mzadmin/<password> encryptpassword myKeystorePassword
The encrypted password is returned.
Set the Platform properties
mz.cryptoservice.keystore.path
andmz.cryptoservice.keystore.password
:$ mzsh topo set topo://container:<platform container>/pico:platform/obj:config.properties '{ mz.cryptoservice.keystore.path="<suitable directory>/myKeystore.jks" mz.cryptoservice.keystore.password="<the encrypted password>" }'
_
Encrypt the passwords with aliases that you want to use in your external references:
mzsh mzadmin/<password> encryptpassword -a myAlias <passwordToEncrypt>
Use the returned password string as a value in your External Reference source, i e file or environment variable.