Keystore Management¶
The configure_encryption_key_for_metadata_and_settings
script automates some operations on the keystore included in the Denodo Platform installation and provides a way to generate new keystores if required.
This script is located in <DENODO_HOME>/bin/configure_encryption_key_for_metadata_and_settings
and it does this:
Generates a keystore with a random encryption key and a configuration file to use it.
Changes the password of an existing keystore without changing the encryption key stored.
Resets the encryption key in an existing keystore.
There are three operation modes available to achieve the above goals:
Before diving into the details of each mode, we are going to explain some common configuration parameters that appear in all the operation modes:
--denodo-home <path>
: path to the target Denodo Platform, Denodo Solution Manager installation or other distributed tools like db-tools and denodo-monitor. With this parameter the script automatically creates the file<Path>conf/denodo-keystore.json
--config-file
: path to the JSON file containing the keystore access configuration. For a Denodo Platform installation this is<DENODO_HOME>conf/denodo-keystore.json
--credentials-file <path>
: path to a .properties file with values forkeystore.password
and/ornew.keystore.password
, as required by the script’s configuration.keystore.password=<password_value> new.keystore.password=<password_value>
Note
As this script is used to configure the encryption key, all passwords used as inputs are received in plain text. To not
use them directly on the shell they can be specified in a separate file using the --credentials-file
option.
Generating a New Keystore with an Encryption Key and its Configuration¶
This script mode provides a way to generate new keystore containing a random encryption key protected with a random or provided password. This is useful to configure encryption keys for tools like Denodo Tools or Configuring the Denodo Monitor.
configure_encryption_key_for_metadata_and_settings
--auto-generate
--keystore <path>
[ --keystore-password <password> ]
[ --credentials-file <path> ]
--denodo-home <path> | --config-output <path>
--keystore <path>
: The keystore that will contain the encryption key. It can be located anywhere in the filesystem.--keystore-password <path>
: If not present a random password will be used. This is analog to usekeystore.password
property with--credentials-file
.--config-output <path>
: The JSON file with the configuration to be able to access the keystore. This is used to generate a file outside the default<DENODO_HOME>conf/denodo-keystore.json
.
Update the Keystore Password¶
This mode is used to update the password of the given keystore. Note that this script mode will not change the encryption key but the password protecting it.
configure_encryption_key_for_metadata_and_settings
--update-password
--config-file <path>
[ --new-keystore-password <password> ]
[ --credentials-file <path> ]
--new-keystore-password <path>
: If not present a random password will be used. This is analog to usenew.keystore.password
property with--credentials-file
.
Reset the Encryption Key¶
This mode resets the encryption key contained in a keystore. This is useful when generating new installations from a template so all the instances do not share the same encryption key. This can only be used on fresh installations.
configure_encryption_key_for_metadata_and_settings
--reset
--config-file <path>
Note
Do not use the script <DENODO_HOME>/bin/change_encryption_key_for_metadata_and_settings
. This script is reserved for internal use.