How to pass encrypted strings as substitution variables

How to pass encrypted strings as substitution variables

book

Article ID: KB0073206

calendar_today

Updated On:

Products

TIBCO Streaming

Description

How can an encrypted string value be passed using a substitution variable? For example, I would like to set the JMS server's password property (in my JMS HOCON configuration) via a substitution variable. How can I set the substitution variable so that the password is not shown in plain text?

Issue/Introduction

Outlines the steps needed to pass encrypted string values via substitution variables.

Resolution

After building your Streaming application archive (either in Studio or using 'mvn clean package'), create a master secret and a keystore file to store the master secret:
$ epadmin create secret keystore=ks keystorepassword=password
With the master secret, you may now encrypt your string value:
$ epadmin encrypt secret keystore=ks keystorepassword=password data=YourStringValue
#!!TSG0yQ8rIdABCT66PfmuRPjQoHs5SPuhWNUL+O5V8bVifdnPEP1B7M7pWQ==
The returned value #!!TSG0yQ8rIdABCT66PfmuRPjQoHs5SPuhWNUL+O5V8bVifdnPEP1B7M7pWQ== can now be used as the value for your substitution variable when you install the node:
$ epadmin install node \
nodename=pwd.encrypt \
nodedirectory=nodes \
application=sample_firstapp-app-0.0.1-SNAPSHOT-ep-application.zip \
substitutions="JMS_PASSWORD=#!!TSG0yQ8rIdABCT66PfmuRPjQoHs5SPuhWNUL+O5V8bVifdnPEP1B7M7pWQ==" \
keystore=ks \
keystorepassword=password
Alternatively, you can create a substitutions file (e.g. subs-file.txt) instead, whose contents would look like..
"JMS_PASSWORD" = "#!!TSG0yQ8rIdABCT66PfmuRPjQoHs5SPuhWNUL+O5V8bVifdnPEP1B7M7pWQ=="
..and your install command would look like..
$ epadmin install node \
nodename=pwd.encrypt \
nodedirectory=nodes \
application=sample_firstapp-app-0.0.1-SNAPSHOT-ep-application.zip \
substitutionfile=/path/to/subs-file.txt \
keystore=ks \
keystorepassword=password
In your JMS HOCON configuration file, you may set the password property using the JMS_PASSWORD substitution variable:
password = "${JMS_PASSWORD:-xxx}"

Additional Information

For more details on encrypting sensitive configuration data, please refer to the Help under Home > StreamBase Admin Guide > StreamBase Security Model > Encrypting Sensitive Configuration Data