USER MANUALS


Configure Export Key Script

During the installation of the Denodo Platform and the Solution Manager, the installer creates a unique encryption key to encrypt all the sensitive information like configuration properties that contain passwords, passwords to access databases, OAuth tokens to connect to REST APIs, etc. When you export the metadata of Virtual DataPort to a .vql file, the sensitive information is also encrypted with this unique key. In the .vql file, the “secret values” (passwords, tokens…) are marked with the token ENCRYPTED and since the key is unique to this installation you can only import the elements with sensitive values in installations of Virtual DataPort that use the same encryption key. Note that we recommend that all the installations of Denodo of your organization or at least the same business unit use the same encryption key to facilitate promoting changes between environments (testing, staging, production, etc.).

That said, you can set a different key used to encrypt sensitive data when exporting metadata. Once you do this, all the VQL statements you obtain from this installation will use this new encryption key. That is, when you open the section VQL of an element in Design Studio, when you export metadata using the script export, etc.

To enable this, follow these steps:

  1. Stop Virtual DataPort.

  2. Execute the script <DENODO_HOME>/setup/vdp/configure_vdp_export_key --interactive and enter the new export password.

  3. Start the Virtual DataPort.

  4. Repeat this process in all the Virtual DataPort servers that are expected to import VQL statements with encrypted keys exported from this server. From now on, only the Virtual DataPort servers with the same export key will be able to import the metadata exported of this installation.

With this script, you can also do this:

  1. Set the export key programmatically: with the parameter --key <new export key>. With this, you can set this key programmatically, without additional involvement from the user. This is useful to use this from a script. E.g. to automate the process of updating this password on many servers, programmatically.

  2. Reset the export key to the default value: with the parameter --interactive.

Parameters of the configure_vdp_export_key script

Parameter Name

Description

-i

--interactive

Runs the interactive mode, which guides you through the process to:

  • Set a new export key

  • Update the export key

  • Reset the export key to its default value

-k

--key <new export key>

Set the new export key, programmatically, without intervention from the user.

You can provide the new export key:

  • In plain text.

    E.g. -k my_new_password

  • Encrypted, following the pattern encrypted:<encrypted_password>.

    E.g. -k encrypted:Gr16MjvuXhRzPtPH/yTXHw==

    To obtain the encrypted value, you need to use the encrypt_password script located in the zip <DENODO_HOME>/tools/db/denodo-db-tools.zip.

Note that if the new export key has already been set, you cannot use the -k parameter.

Add feedback