USER MANUALS

Configure Keystore Password Loader

By default Denodo Platform creates a random encryption key configuration that is located in <DENODO_HOME>conf/denodo-keystore.json. In some environments the password must be secured outside the installation folder by using an external file, an environment variable or some secret manager service provided by the cloud service hosting the Denodo Platform.

There are six keystore password loaders available to use:

  1. Direct Keystore Password Configuration

  2. File Keystore Password Configuration

  3. Environment Variable Keystore Password Configuration

  4. AWS Keystore Password Configuration

  5. Azure Keystore Password Configuration

  6. Google Cloud Keystore Password Configuration

Important

Cloud loaders require the server to be running on the cloud service with enough privileges to access the configured secret. There is no option to configure a cloud loader from on prem installations.

Direct Keystore Password Configuration

This is the default configuration when installing the Denodo Platform. The password is directly specified by using the value tag for the password configuration.

Example of keystore configuration with direct password
{
   "keyStore": {
      "loader": {
         "type": "FILE",
         "location": "denodo-key.keystore"
      },
      "type": "PKCS12",
      "password": {
         "value": "<password to access the keystore>"
      }
   },
   "key": {
      "alias": "denodo_key"
   }
}

This example opens the keystore by using the password kspassword

File Keystore Password Configuration

This configuration reads the password from a specified file. This is done by using a "loader" section with a "type":"FILE" and a "location" tag with the route to a file. This file contains the keystore password in a specified format with CLEAR, HEX and BASE64 options.

Example of keystore configuration with a file containing the password
{
   "keyStore":{
      "loader":{
         "type":"FILE",
         "location":"denodo-key.keystore"
      },
      "password":{
         "format":"BASE64",
         "loader":{
            "type":"FILE",
            "location":"<route>"
         }
      }
   },
   "key":{
      "alias":"denodo_key"
   }
}

To open a keystore protected with password kspassword the referenced file should contain it encoded as Base64: a3NwYXNzd29yZA==

Note

When keyStore location is not an absolute path it is used as relative to the path of the <DENODO_HOME>conf/denodo-keystore.json file.

Environment Variable Keystore Password Configuration

This configuration reads the password from an environment variable. This is done by using a "loader" section with a "type":"ENV" and a "name" tag with the environment variabel to read. This environment variable contains the keystore password in a specified format with CLEAR, HEX and BASE64 options.

Example of keystore configuration with an environment variable containing the password
{
   "keyStore":{
      "loader":{
         "type":"FILE",
         "location":"denodo-key.keystore"
      },
      "password":{
         "format":"HEX",
         "loader":{
            "type":"ENV",
            "name":"<env_variable>"
         }
      }
   },
   "key":{
      "alias":"denodo_key"
   }
}

To open a keystore protected with password kspassword the referenced environment variable should contain it encoded as hexadecimal text: 6B7370617373776F7264

AWS Keystore Password Configuration

This configuration obtains the password from AWS Secrets Manager. This is done by using a "loader" section with a "type":"AWS" and by using the following configuration tags:

  • awsRegion: Contains the AWS region where the secret is stored

  • awsSecretId: Contains the AWS secret id to load at the specified region

  • awsSecretKey: Optional configuration used when the secret is uploaded as a key-value mapping JSON. The tag should contain the key for the value containing the password. If no format tag is used the password is expected to be as clear text.

Example of keystore configuration with an environment variable containing the password
{
   "keyStore":{
      "loader":{
         "type":"FILE",
         "location":"denodo-key.keystore"
      },
      "password":{
      "loader":{
         "type":"AWS",
         "awsRegion":"us-west-1",
         "awsSecretId":"keystore-password-json",
         "awsSecretKey":"keystorePass"
      }
      }
   },
   "key":{
      "alias":"denodo_key"
   }
}

To open a keystore protected with password kspassword the referenced secret should contain the value {"keystorePass":"kspassword"}

Azure Keystore Password Configuration

This configuration obtains the password from Azure Key Vault. This is done by using a "loader" section with a "type":"AZURE" and by using the following configuration tags:

  • azureSecretId: Contains the secret id containing the keystore password.

  • azureVaultUrl: URL of the vault containing the secret id configured.

  • azureManagedIdentityClientId: Optional parameter required only when the privileges to access the secret use the managed identity authentication flow.

Example of keystore configuration with the password contained in Azure Key Vault.
{
   "keyStore":{
      "loader":{
         "type":"FILE",
         "location":"denodo-key.keystore"
      },
      "password":{
         "loader":{
            "type":"AZURE",
            "azureSecretId":"secret-id",
            "azureVaultUrl":"https://example.vault.azure.net"
         }
      }
   },
   "key":{
      "alias":"denodo_key"
   }
}

To open a keystore protected with password kspassword the referenced secret should contain the value kspassword

Google Cloud Keystore Password Configuration

This configuration obtains the password from Google Cloud Secret Manager. This is done by using a "loader" section with a "type":"GOOGLE_CLOUD" and by using the following configuration tags:

  • gcSecretId: Contains the secret id containing the keystore password.

  • gcProjectId: Project id where the secret has been created.

  • gcVersionId: Optional parameter with the specific secret version to use. If not present the latest version will be used.

Example of keystore configuration with the password contained in Google Cloud Secret Manager.
{
   "keyStore":{
      "loader":{
         "type":"FILE",
         "location":"denodo-key.keystore"
      },
      "password":{
       "loader":{
         "type":"GOOGLE_CLOUD",
               "gcSecretId":"denodo-secret-1",
               "gcProjectId":"denodo-project",
               "gcVersionId":"prod1"
         }
       }
   },
   "key":{
      "alias":"denodo_key"
   }
}

To open a keystore protected with password kspassword the referenced secret should contain the value kspassword

Note

The proposed configurations are used to configure the access to the password protecting the keystore. The keystore loader may also be changed from FILE to any of the above. FILE and AWS can store binary data containing the keystore file, for the others the text value should be the bytes of the keystore encoded as BASE64.

Example of keystore configuration on AWS retrieving the keystore from a binary secret.
{
   "keyStore":{
      "loader":{
         "type":"AWS",
         "awsRegion":"us-west-1",
         "awsSecretId":"denodo_keystore_binary_secret"
      },
      "password":{
         "loader":{
            "type":"AWS",
            "awsRegion":"eu-west-1",
            "awsSecretId":"keystore-password-cleartext"
         }
      }
   },
   "key":{
      "alias":"denodo_key"
   }
}
Add feedback