Transparent Metadata Encryption in the Solution Manager

By default, the Solution Manager uses two instances of the Apache Derby database:

  1. The Solution Manager uses an Apache Derby to store the environments, clusters and servers, promotions, license information, etc.

  2. The Solution Manager includes a local Virtual DataPort server that is used to authenticate users. This Virtual DataPort also uses Apache Derby to store metadata.

Denodo uses authentication and authorization mechanisms to protect the access to the data and the metadata, but not at the operating system level where the data files of Apache Derby are stored. By default, Denodo stores the passwords (i.e. passwords of the data sources and user accounts) encrypted or hashed but the other settings are stored without encryption.

You can enable Transparent Metadata Encryption to encrypt all the settings, not just the passwords. This uses the Advanced Encryption Standard (AES-128). After enabling this feature, the content is transparently decrypted when it is accessed so the users do not need to be aware that the content they are accessing is encrypted, nor they have to change any setting on their end.

Consider the following:

  • The Transparent Metadata Encryption is not used for the Solution Manager settings - only for Virtual DataPort - if you configured the Solution Manager to use an external database. In that case, check if the database you use provides a feature to encrypt the data it stores.

  • The Transparent Metadata Encryption is unrelated to how the data is transmitted across the network from/to the Solution Manager servers. We recommend enabling TLS on these servers so the data is transferred securely.

Enabling Transparent Metadata Encryption

Follow these steps to encrypt the contents of the Apache Derby databases of the Solution Manager:

  1. Log in to the host where the Solution Manager runs, with the user account you use to start it.

  2. Stop Virtual DataPort.

  3. Stop the Solution Manager Server.

  4. Stop the License Manager.

  5. From the command line, execute the following:

    For Windows:

    cd <SOLUTION_MANAGER_HOME>\setup\solution-manager
    encryptMetadata.bat --interactive
    

    For Linux:

    cd <SOLUTION_MANAGER_HOME>/setup/solution-manager
    ./encryptMetadata.sh --interactive
    
  6. The script will prompt you for the password to encrypt the settings of the Solution Manager. This does not have to be your administrator password, it can be any password.

    You will need this password to stop encrypting the metadata or to change the encryption password.

  7. Execute these other commands:

    For Windows:

    cd <SOLUTION_MANAGER_HOME>\setup\vdp
    encryptMetadata.bat --interactive
    

    For Linux:

    cd <SOLUTION_MANAGER_HOME>/setup/vdp
    ./encryptMetadata.sh --interactive
    
  8. The script will prompt you for the password to encrypt the metadata of Virtual DataPort. We suggest you use the same password as in the previous step to make the process easier to manage.

  9. Start Virtual DataPort, the Solution Manager Server and the License Manager.

Changing the Password for the Transparent Metadata Encryption

Follow these steps to change the password used to encrypt the Apache Derby databases of the Solution Manager:

  1. Log in to the host where the Solution Manager runs, with the user account you use to start the Denodo servers.

  2. Stop Virtual DataPort.

  3. Stop the Solution Manager Server.

  4. Stop the License Manager.

  5. From the command line, execute the following:

    For Windows:

    cd <SOLUTION_MANAGER_HOME>\setup\solution-manager
    encryptMetadata.bat --interactive
    

    For Linux:

    cd <SOLUTION_MANAGER_HOME>/setup/solution-manager
    ./encryptMetadata.sh --interactive
    
  6. Enter 1 (Reset password) and press Enter. You will have to provide the password you used to encrypt the metadata and the new password.

  7. Execute these other commands:

    For Windows:

    cd <SOLUTION_MANAGER_HOME>\setup\vdp
    encryptMetadata.bat --interactive
    

    For Linux:

    cd <SOLUTION_MANAGER_HOME>/setup/vdp
    ./encryptMetadata.sh --interactive
    
  8. Enter 1 (Reset password) and press Enter. You will have to provide the password you used to encrypt the metadata and the new password. We suggest you use the same password as in the previous step to make the process easier to manage.

  9. Start Virtual DataPort, the Solution Manager Server and the License Manager.

Disabling Transparent Metadata Encryption

Follow these steps to decrypt the Apache Derby databases of the Solution Manager:

  1. Log in to the host where the Solution Manager runs, with the user account you use to start the Denodo servers.

  2. Stop Virtual DataPort.

  3. Stop the Solution Manager Server.

  4. Stop the License Manager.

  5. From the command line, execute the following:

    For Windows:

    cd <SOLUTION_MANAGER_HOME>\setup\solution-manager
    encryptMetadata.bat --interactive
    

    For Linux:

    cd <SOLUTION_MANAGER_HOME>/setup/solution-manager
    ./encryptMetadata.sh --interactive
    
  6. Enter 2 (Decrypt) and press Enter. You will have to provide the password you used to encrypt the metadata.

  7. Execute these other commands:

    For Windows:

    cd <SOLUTION_MANAGER_HOME>\setup\vdp
    encryptMetadata.bat --interactive
    

    For Linux:

    cd <SOLUTION_MANAGER_HOME>/setup/vdp
    ./encryptMetadata.sh --interactive
    
  8. Enter 2 (Decrypt) and press Enter. You will have to provide the password you used to encrypt the metadata.

  9. Start Virtual DataPort, the Solution Manager Server and the License Manager.