USER MANUALS

Keystore Management

The configure_encryption_key_for_metadata_and_settings script automates some operations on the keystore included in the Denodo Platform installation and provides a way to generate new keystores if required.

This script is located in <DENODO_HOME>/bin/configure_encryption_key_for_metadata_and_settings and it does this:

  • Generates a keystore with a random encryption key and a configuration file to use it.

  • Changes the password of an existing keystore without changing the encryption key stored.

  • Resets the encryption key in an existing keystore.

There are three operation modes available to achieve the above goals:

  1. Generating a New Keystore with an Encryption Key and its Configuration

  2. Update the Keystore Password

  3. Reset the Encryption Key

Before diving into the details of each mode, we are going to explain some common configuration parameters that appear in all the operation modes:

  • --denodo-home <path>: path to the target Denodo Platform, Denodo Solution Manager installation or other distributed tools like db-tools and denodo-monitor. With this parameter the script automatically creates the file <Path>conf/denodo-keystore.json

  • --config-file: path to the JSON file containing the keystore access configuration. For a Denodo Platform installation this is <DENODO_HOME>conf/denodo-keystore.json

  • --credentials-file <path>: path to a .properties file with values for keystore.password and/or new.keystore.password, as required by the script’s configuration.

    Credentials file sample
    keystore.password=<password_value>
    new.keystore.password=<password_value>
    

Note

As this script is used to configure the encryption key, all passwords used as inputs are received in plain text. To not use them directly on the shell they can be specified in a separate file using the --credentials-file option.

Generating a New Keystore with an Encryption Key and its Configuration

This script mode provides a way to generate new keystore containing a random encryption key protected with a random or provided password. This is useful to configure encryption keys for tools like Denodo Tools or Configuring the Denodo Monitor.

Syntax for generating a new encryption key
configure_encryption_key_for_metadata_and_settings
      --auto-generate
      --keystore <path>
     [ --keystore-password <password> ]
     [ --credentials-file <path> ]
      --denodo-home <path> | --config-output <path>
  • --keystore <path>: The keystore that will contain the encryption key. It can be located anywhere in the filesystem.

  • --keystore-password <path>: If not present a random password will be used. This is analog to use keystore.password property with --credentials-file.

  • --config-output <path>: The JSON file with the configuration to be able to access the keystore. This is used to generate a file outside the default <DENODO_HOME>conf/denodo-keystore.json.

Update the Keystore Password

This mode is used to update the password of the given keystore. Note that this script mode will not change the encryption key but the password protecting it.

Syntax for changing the keystore password
configure_encryption_key_for_metadata_and_settings
         --update-password
         --config-file <path>
      [ --new-keystore-password <password> ]
      [ --credentials-file <path> ]
  • --new-keystore-password <path>: If not present a random password will be used. This is analog to use new.keystore.password property with --credentials-file.

Reset the Encryption Key

This mode resets the encryption key contained in a keystore. This is useful when generating new installations from a template so all the instances do not share the same encryption key. This can only be used on fresh installations.

Syntax for resetting the encryption key
configure_encryption_key_for_metadata_and_settings
         --reset
         --config-file <path>

Note

Do not use the script <DENODO_HOME>/bin/change_encryption_key_for_metadata_and_settings. This script is reserved for internal use.

Add feedback