Contents
This topic describes how to encipher passwords and the value of certain name-value pairs in the StreamBase Server configuration file so that they do not appear as clear text in the file.
To connect a StreamBase application to a supported database, you must provide a <data-source> element in the StreamBase Server configuration file. The element must contain the full JDBC connection string and, usually,
the name and password with which you want the StreamBase application to connect.
This leaves the database login name and password visible in clear text in the configuration file, readable by anyone with access to the configuration file. You can instead encipher the name and password with the sbcipher command, and then insert the enciphered version of the name and password in the configuration file.
The following shows an example <data-source> entry for an Oracle database:
<data-sources>
<data-source name="Oracle_10g" type="jdbc">
<driver value="oracle.jdbc.driver.OracleDriver"/>
<uri value="jdbc:oracle:thin:@orasrv.example.com:1521:sb_test"/>
<param name="user" value="orauser"/>
<param name="password" value="secret"/>
...
</data-source>
</data-sources>This leaves the Oracle login name and password visible in clear text in the configuration file, readable by anyone with access to the file. To preserve the privacy of this information, you can encipher the Oracle login name and password, using sbcipher commands at a UNIX command prompt or the StreamBase Command Prompt on Windows. For example, first encipher the username:
sbcipher -c "orauser"
This command returns:
b0gyqMSZ5D4lEsy0BdTmxpf+AAWDpbnkUWj0G6HaLuIuG6gKwX90ybHL0Z7yVo+T8D66sKmPso0NcDQwYX1idA==
Now, encipher the password:
sbcipher -c "secret"
This command returns:
M5DSWylszg5aA9AK29MOiaDLq7SMqmTor+nW3qURTrT9E9eqJfTPyyUudCK34nhXHE53PXK6pregp4MW8qrueg==
Now, edit the configuration file to add the enciphered attribute, and to specify the enciphered strings returned to standard output by the sbcipher command. For example:
<data-sources>
<data-source name="Oracle_10g" type="jdbc">
<driver value="oracle.jdbc.driver.OracleDriver"/>
<uri value="jdbc:oracle:thin:@orasrv.example.com:1521:sb_test"/>
<param name="user" enciphered="true"
value="b0gyqMSZ5D4lEsy0BdTmxpf+AAWDpbnkUWj0G6HaLuIuG6gKwX90ybHL0Z7yVo+T8D66sKmPso0NcDQwYX1idA=="/>
<param name="password" enciphered="true"
value="M5DSWylszg5aA9AK29MOiaDLq7SMqmTor+nW3qURTrT9E9eqJfTPyyUudCK34nhXHE53PXK6pregp4MW8qrueg=="/>
...
</data-source>
</data-sources>The following shows an example <data-source> entry for a MySQL database. In this case, the database login name and password are embedded in the JDBC connection string,
not in separate <param> lines:
<data-sources>
<data-source name="MYSQL" type="jdbc">
<driver value="com.mysql.jdbc.Driver"/>
<uri value="jdbc:mysql://mysql.example.com:3306/qa?user=nonnymouse&password=secret"/>
<param name="jdbc-reconnect-attempts" value="5"/>
...
</data-source>
</data-sources>For databases like MySQL and Microsoft SQL Server that embed the user name and password in the connection string, you must encipher the entire URI value with steps like the following:
-
First rewrite the connection string without XML entities or URL encoding. For example, the
&in the MySQL example above is necessary in the context of the server configuration file's XML, but is unnecessary and incorrect in the context of an enciphered connection string. Changing the&to&, the connection string becomes:jdbc:mysql://mysql.example.com:3306/qa?user=nonnymouse&password=secret
-
Now pass this converted string to sbcipher –c. Use quotes around the URI to escape the shell's interpretation of the question mark and ampersand in the URI string. For example:
sbcipher -c "jdbc:mysql://mysql.example.com:3306/qa?user=nonnymouse&password=secret"
-
This command returns:
n+499v4yMI4aNaIdyW9ENjUdePV0qxmIrLpdTcKBvuOHjSRAQqAFZDGxiOcX0CZet4dNDK6v 9jjJkGNqpd02sYSq18JzeqkQqdXA/ayJFKxdmj68LyrtN1ygAOaDvLyee1C3oDNEV9xtnOpi RMd7EN1JEJbVIy58DIM+mQ6fpX8WRCoT+FpX3ERbJU5W18COQ3Cc7g1VwrLnS2m37/tJUOhr a0HtBVRf5AMU/gSRA6kwS1+zmj/OpBfstSI4HcYlTn6lBITRuj9LuDpEDzNBTSahZ+Hf+Jt hzJ7fofkhZUrxJ0Ztj6s86uOJv7fD01lklyCDVtiiQIReMAqzPvDn96jtniEj4Skna6J2vs 1okX5GXukMhtkBY0ex+Bfa0IODb9XG1IAGgDVdp/pD3HgyXK9/KLDdO24CADaD8ZqQ1UAK6 3mkPYkDLRgAXg/fa+3iZW10rx2KSaSjlajTFpcMS73P0rlKjaDKzT0H5oIlNTWpYNC1Jh5i b/fvg3motbUJ2NqQfJ0mk6auNS4gwf97p1ayE4IKGf8IoF0kUItCXxmhRLzPzWl5XST7JBk SM6dF+V8up2lhXVhiwuALBM7a2aiYx/HdG0InSDdYoiFO7OblgjaI5Y7Xu5sGXviR9rfo9x Ef1eUGO6pxkYm/ZlyQm8pH3dTvmFj1C9gsD/bVE44=
(The enciphered string returned is shown in these examples with line breaks inserted for publication clarity. The string returned is actually a single unbroken string.)
-
Now, edit the configuration file as before to add the
encipheredattribute, and to specify the enciphered string returned from sbcipher:<data-sources> <data-source name="MYSQL" type="jdbc"> <driver value="com.mysql.jdbc.Driver"/> <uri enciphered="true" value="n+499v4yMI4aNaIdyW9ENjUdePV0qxmIrLpdTcKBvuOHjSRAQqAFZDGxiOcX0CZet4dNDK6v 9jjJkGNqpd02sYSq18JzeqkQqdXA/ayJFKxdmj68LyrtN1ygAOaDvLyee1C3oDNEV9xtnOpi RMd7EN1JEJbVIy58DIM+mQ6fpX8WRCoT+FpX3ERbJU5W18COQ3Cc7g1VwrLnS2m37/tJUOhr a0HtBVRf5AMU/gSRA6kwS1+zmj/OpBfstSI4HcYlTn6lBITRuj9LuDpEDzNBTSahZ+Hf+Jt hzJ7fofkhZUrxJ0Ztj6s86uOJv7fD01lklyCDVtiiQIReMAqzPvDn96jtniEj4Skna6J2vs 1okX5GXukMhtkBY0ex+Bfa0IODb9XG1IAGgDVdp/pD3HgyXK9/KLDdO24CADaD8ZqQ1UAK6 3mkPYkDLRgAXg/fa+3iZW10rx2KSaSjlajTFpcMS73P0rlKjaDKzT0H5oIlNTWpYNC1Jh5i b/fvg3motbUJ2NqQfJ0mk6auNS4gwf97p1ayE4IKGf8IoF0kUItCXxmhRLzPzWl5XST7JBk SM6dF+V8up2lhXVhiwuALBM7a2aiYx/HdG0InSDdYoiFO7OblgjaI5Y7Xu5sGXviR9rfo9x Ef1eUGO6pxkYm/ZlyQm8pH3dTvmFj1C9gsD/bVE44="/> <param name="jdbc-reconnect-attempts" value="5"/> ... </data-source> </data-sources>
StreamBase Server deciphers enciphered values using an industry-standard client key plus server key system. The examples in the previous section work as shown because the sbcipher command contains an embedded client key, and the StreamBase Server executable, sbd, contains an embedded server key. These embedded keys are stored in clear text in their respective commands, and are the same for all StreamBase installations. The embedded keys are not password protected.
There are actually two sets of embedded key pairs. One pair has a modulus length of 512 bits, while the other pair has 4096 bits. When your sbcipher command requests encipherment of a text string of less than 50 characters, the 512 bit key pair is used. When enciphering longer strings, the 4096 bit key pair is used.
There are three XML elements in StreamBase Server configuration files that accept the enciphered attribute:
-
<param>child elements of the<data-source>element. See examples in Example for Oracle. -
<uri>child elements of the<data-source>element. See an example in Example for MySQL. -
The
<operator-parameter>element.
One element in StreamBase deployment files accepts the enciphered attribute:
-
<parameter>child elements of<module-parameters>children of the<application>child of the<runtime>element. (For backward compatibility,<module-parameters>is still accepted in server configuration files as well.)
If the server encounters an enciphered= attribute in any other context in the configuration file, it displays a warning message on the console.
You can encipher the value portion of any name-value pair in any <param> child element of a <data-source> specification. The examples in Example for Oracle show encipherment when name="user" and name="password". However, you are not restricted to these two, and you can encipher the value of any JDBC connection parameter, if you have
a site-specific reason to keep the values private.
You can encipher the value portion of any name-value pair in any <operator-parameter> element. For example, you might be using operator parameters to set different portfolio names when the same StreamBase application
is run on different machines for different customers. If the customer names are part of the portfolio name in the operator
parameter value, you can encipher such values to keep them private.
You can also use operator parameters to hold the username and password values needed by some StreamBase adapters when connecting
to the adapter's server. If the adapter allows the use of operator parameters to specify the name and password for a connection,
then those values can be enciphered in the <operator-parameters> section of the server's configuration file. In this case, the adapter's configuration file would use operator parameter names
(such as ${myAdapterUser} and ${myAdapterPassword}, which hides the actual username and password from visibility. The server's configuration file would maintain the enciphered
version of the operator parameter values of myAdapterUser and myAdapterPassword.
As described above, the key pair embedded in the sbcipher and sbd commands is the same for all StreamBase installations and is not password-protected. You can instead ask sbcipher to generate your own site-specific pair of keys. You cannot use keys generated with another encipherment technology; only keys generated with sbcipher are understood by StreamBase Server.
To generate a key pair, use sbcipher's -g option, and specify a file name to serve as the base name for the generated keys. You can specify a path to the file base
name, as shown in the following examples:
sbcipher -g myCompanyKey sbcipher -g /home/sbapps/myKey (UNIX path) sbcipher -g c:\sbapps\cipherKey (Windows path)
Generated keys have a bit size of 512 by default. You can optionally specify a longer bit size by adding the -s option with an argument of 512, 1024, 2048, or 4096. For example:
sbcipher -g myCompanyKey -s 2048
The sbcipher -g command generates one client and one server key, named basename.sbcipherbasename.server
myCompanyKey.sbcipher
myCompanyKey.server
Specify the generated client key with the -k option when enciphering strings with -c. For example:
sbcipher -c "orauser" -k myCompanyKey.sbcipher
This generates an enciphered value that can only be unlocked with the corresponding server key generated at the same time. The next section describes how to tell StreamBase Server and StreamBase Studio to use the server key.
If you have generated a client-server key pair as described in the previous section, you must configure both StreamBase Server and StreamBase Studio to use your server key when deciphering enciphered values encountered in the configuration file.
To use your generated server key in place of the embedded server key to decipher all enciphered values, specify the path to
your server key file with the streambase.security.key-file system property. Use the <sysproperty> child element of the <jvm-args> element in the server configuration file, as shown in the following example:
<jvm-args>
...
<sysproperty name="streambase.security.key-file"
value="/path/to/myCompanyKey.server" />
...
</jvm-args>When you specify one server key file as in the example above, you override and disable the default embedded server key. You can preserve the embedded server key while also using a generated server key as described below.
You can specify a comma-separated list of server keys. In this case, when StreamBase Server encounters an enciphered value in the configuration file, it tries to decipher using each server key in the order listed. For example:
<jvm-args>
...
<sysproperty name="streambase.security.key-file"
value="myCompanyKey.server,myKey.server,cipherKey.server" />
...
</jvm-args>This feature allows you to encipher different portions of the configuration file for different purposes. For example, your site's database administrators may prefer to keep private a particular database's login name and password. You can provide them with the sbcipher command so they can encipher those values and return to you only the enciphered strings, plus a pair of client and server key files.
When you specify one or more server key files with the streambase.security.key-file system property, you disable the embedded server key described in Enciphering with the Embedded Key Pair. However, there is a way to continue using the embedded keys for some purposes, but use a generated server key for other
purposes.
Two files containing the embedded server keys are delivered with your StreamBase installation. Locate these files in streambase-install-dir/etc
streambase-embeddedkey-512.server
streambase-embeddedkey-4096.server
You can specify one or both of these server key files in your list of server keys in the streambase.security.key-file system property. For example:
<jvm-args>
...
<sysproperty name="streambase.security.key-file"
value="/path/to/myCompanyKey.server,${STREAMBASE_HOME}/etc/streambase-embeddedkey-512.server" />
...
</jvm-args>Assuming the server's environment has the STREAMBASE_HOME variable set, this directive says to decipher enciphered values using the myCompanyKey.server key first, then try using the default embedded 512-bit key.
StreamBase Studio needs to decipher enciphered values under two circumstances:
-
When it attempts to typecheck an operator that uses enciphered values. For example, a JDBC Query operator might use enciphered name and password values when connecting to a JDBC data source.
-
When it attempts to run or debug an application, either locally or remotely.
If the configuration file has values enciphered with the default embedded keys, then Studio can successfully typecheck operators, and can successfully launch and run applications normally.
However, if the configuration file has values enciphered with custom generated keys, Studio must know where to locate the
server key or keys used when enciphering the values. Specify the location of custom generated server keys to Studio using
the streambase.security.key-file system property specified as part of the STREAMBASE_STUDIO_VMARGS environment variable. You must set the value in this environment variable before starting Studio.
Set this variable as described in STREAMBASE_STUDIO_VMARGS. When adding the streambase.security.key-file system property, remember to re-specify the default -Xms and -Xmx arguments, as shown in the following example:
STREAMBASE_STUDIO_VMARGS=-Xms256M -Xmx768M \
-Dstreambase.security.key-file=/path/to/myCompanyKey.serverYou may want to re-specify the default GC settings as described in Garbage Collection Policy Settings.
Keep in mind the following points when using the encipherment feature:
-
StreamBase Server is not a secure environment. The encipherment feature described on this page does not provide strong encryption of passwords and parameter values. On startup, StreamBase Server deciphers any enciphered values it encounters in the configuration file, and thereafter stores and uses the deciphered plain text version of these values in internal buffers.
-
The value of the default embedded server keys is readily available in the
.serverfiles instreambase-install-dir/etc -
When reporting connection errors to the console or error logs, StreamBase Server often includes details about the connection it attempted. Those error messages may include the deciphered plain text value of usernames, passwords, and other enciphered parameter values.
-
If the server fails to decipher any enciphered value, it continues to load and run, and reports the error on the console. The decipher failure message includes the still-enciphered value string, plus information to identify the value it was attempting to decipher.
-
If the server fails to decipher an enciphered value that is part of a JDBC
<data-source>specification, then the server still attempts to connect to the database, using the enciphered values for name and password instead of the correct deciphered values. As expected, this results in login failure messages returned from the database. -
The Feed Simulation Editor in Studio allows you to specify a JDBC database as the source of simulated input stream values. The encipherment feature is not supported with feed simulation data source connections.
-
Deciphering enciphered values is only supported for values in the server configuration file, and not for the separate configuration files used by some StreamBase adapters. However, if you can specify the name and password for an adapter's connection by means of operator parameters, then you can encipher those values, as discussed in Using Enciphered Values in Configuration and Deployment Files.