Using Passwords in External Reference

Owned by Kevin Wu
Jun 15, 2023
2 min read

In the Database profile and for several different agents, you can use passwords from External Reference profiles.

The password values must be represented by a string that has been encrypted with the mzsh encryptpassword command.

When using the mzsh encryptpassword command you can use keys that have been generated using the Java standard tool keytool. The keys to be used are determined using aliases, and if no alias is used, the default key is used for the encryption. See the JDK product documentation for further information about using keytool in different scenarios.

Note!

You have to use the storetype JCEKS.

If aliases are to be used, the full path and password to the keystore has to be indicated by including the Platform properties mz.cryptoservice.keystore.path and mz.cryptoservice.keystore.password in the Platform instance. See System Properties in the System Administration Guide for further information about these properties. The keystore must also contain keys for all the aliases you want to use.

Note!

The same keytool can be used for generating keys for RCP encryption. However, these keys are of a different type and cannot be used for External References.

Example - Encrypting passwords with crypto service keystore keys

This is an example of how passwords can be encrypted with crypto service keystore keys:

  1. Create a security key with the keytool:

    keytool -genseckey -alias myAlias -keyalg AES
-keystore myKeystore.jks -keysize 128
-storepass myKeystorePassword -storetype JCEKS.

    Note!

    • If you enter a -keysize that is larger than 128, you may get a message saying that JCE Unlimited Strength Jurisdiction Policy Files needs to be installed. See the Oracle product documentation for further information about this.

    • The -storepass flag is optional. If you do not enter a -storepass you will be prompted for a password.

    • -storetype JCEKS is mandatory.

    • You will be prompted if you want to use the same password for the key as for the keystore and the system requires that the same password is used.

  2. Place the keystore in a suitable directory.
     

  3. Encrypt the password to the keystore using the mzsh encryptpassword command with the default key:

    mzsh mzadmin/<password> encryptpassword myKeystorePassword

    The encrypted password is returned.
     

  4. Set the Platform properties mz.cryptoservice.keystore.path and mz.cryptoservice.keystore.password:

    $ mzsh topo set topo://container:<platform container>/pico:platform/obj:config.properties '{
 mz.cryptoservice.keystore.path="<suitable directory>/myKeystore.jks"
 mz.cryptoservice.keystore.password="<the encrypted password>"
}'

    _

  5. Encrypt the passwords with aliases that you want to use in your external references:

    mzsh mzadmin/<password> encryptpassword -a myAlias <passwordToEncrypt>

    Use the returned password string as a value in your External Reference source, i e file or environment variable.