Configure Keystore Password Loader¶
By default Denodo Platform creates a random encryption key configuration that is located in <DENODO_HOME>conf/denodo-keystore.json
.
In some environments the password must be secured outside the installation folder by using an external file, an environment variable or some secret manager service provided by the cloud service hosting the Denodo Platform.
There are six keystore password loaders available to use:
Important
Cloud loaders require the server to be running on the cloud service with enough privileges to access the configured secret. There is no option to configure a cloud loader from on prem installations.
Direct Keystore Password Configuration¶
This is the default configuration when installing the Denodo Platform. The password is directly specified by using the value
tag for the password
configuration.
{
"keyStore": {
"loader": {
"type": "FILE",
"location": "denodo-key.keystore"
},
"type": "PKCS12",
"password": {
"value": "<password to access the keystore>"
}
},
"key": {
"alias": "denodo_key"
}
}
This example opens the keystore by using the password kspassword
File Keystore Password Configuration¶
This configuration reads the password from a specified file. This is done by using a "loader"
section with a "type":"FILE"
and a "location"
tag
with the route to a file. This file contains the keystore password in a specified format with CLEAR, HEX and BASE64 options.
{
"keyStore":{
"loader":{
"type":"FILE",
"location":"denodo-key.keystore"
},
"password":{
"format":"BASE64",
"loader":{
"type":"FILE",
"location":"<route>"
}
}
},
"key":{
"alias":"denodo_key"
}
}
To open a keystore protected with password kspassword
the referenced file should contain it encoded as Base64: a3NwYXNzd29yZA==
Note
When keyStore location is not an absolute path it is used as relative to the path of the <DENODO_HOME>conf/denodo-keystore.json
file.
Environment Variable Keystore Password Configuration¶
This configuration reads the password from an environment variable. This is done by using a "loader"
section with a "type":"ENV"
and a "name"
tag
with the environment variabel to read. This environment variable contains the keystore password in a specified format with CLEAR, HEX and BASE64 options.
{
"keyStore":{
"loader":{
"type":"FILE",
"location":"denodo-key.keystore"
},
"password":{
"format":"HEX",
"loader":{
"type":"ENV",
"name":"<env_variable>"
}
}
},
"key":{
"alias":"denodo_key"
}
}
To open a keystore protected with password kspassword
the referenced environment variable should contain it encoded as hexadecimal text: 6B7370617373776F7264
AWS Keystore Password Configuration¶
This configuration obtains the password from AWS Secrets Manager. This is done by using a "loader"
section with a "type":"AWS"
and by using the following configuration tags:
awsRegion
: Contains the AWS region where the secret is storedawsSecretId
: Contains the AWS secret id to load at the specified regionawsSecretKey
: Optional configuration used when the secret is uploaded as a key-value mapping JSON. The tag should contain the key for the value containing the password. If noformat
tag is used the password is expected to be as clear text.
{
"keyStore":{
"loader":{
"type":"FILE",
"location":"denodo-key.keystore"
},
"password":{
"loader":{
"type":"AWS",
"awsRegion":"us-west-1",
"awsSecretId":"keystore-password-json",
"awsSecretKey":"keystorePass"
}
}
},
"key":{
"alias":"denodo_key"
}
}
To open a keystore protected with password kspassword
the referenced secret should contain the value {"keystorePass":"kspassword"}
Azure Keystore Password Configuration¶
This configuration obtains the password from Azure Key Vault. This is done by using a "loader"
section with a "type":"AZURE"
and by using the following configuration tags:
azureSecretId
: Contains the secret id containing the keystore password.azureVaultUrl
: URL of the vault containing the secret id configured.azureManagedIdentityClientId
: Optional parameter required only when the privileges to access the secret use the managed identity authentication flow.
{
"keyStore":{
"loader":{
"type":"FILE",
"location":"denodo-key.keystore"
},
"password":{
"loader":{
"type":"AZURE",
"azureSecretId":"secret-id",
"azureVaultUrl":"https://example.vault.azure.net"
}
}
},
"key":{
"alias":"denodo_key"
}
}
To open a keystore protected with password kspassword
the referenced secret should contain the value kspassword
Google Cloud Keystore Password Configuration¶
This configuration obtains the password from Google Cloud Secret Manager. This is done by using a "loader"
section with a "type":"GOOGLE_CLOUD"
and by using the following configuration tags:
gcSecretId
: Contains the secret id containing the keystore password.gcProjectId
: Project id where the secret has been created.gcVersionId
: Optional parameter with the specific secret version to use. If not present the latest version will be used.
{
"keyStore":{
"loader":{
"type":"FILE",
"location":"denodo-key.keystore"
},
"password":{
"loader":{
"type":"GOOGLE_CLOUD",
"gcSecretId":"denodo-secret-1",
"gcProjectId":"denodo-project",
"gcVersionId":"prod1"
}
}
},
"key":{
"alias":"denodo_key"
}
}
To open a keystore protected with password kspassword
the referenced secret should contain the value kspassword
Note
The proposed configurations are used to configure the access to the password protecting the keystore.
The keystore loader may also be changed from FILE
to any of the above. FILE
and AWS
can store binary data containing the keystore file, for the others the text value should be the bytes of the keystore encoded as BASE64.
{
"keyStore":{
"loader":{
"type":"AWS",
"awsRegion":"us-west-1",
"awsSecretId":"denodo_keystore_binary_secret"
},
"password":{
"loader":{
"type":"AWS",
"awsRegion":"eu-west-1",
"awsSecretId":"keystore-password-cleartext"
}
}
},
"key":{
"alias":"denodo_key"
}
}