You are viewing the RapidMiner Server documentation for version 9.0 - Check here for latest version
Securing the passwords in standalone.xml
By default, the passwords in
standalone.xml, the JBoss configuration file located in the RapidMiner Server home directory, are saved as plaintext. To secure these passwords, you must take additional steps, described below.
The standard vault solution provided by JBoss encrypts passwords using a private key and stores them in a secure vault file. The vault tool can be found at the following location:
<RapidMiner Server installation path>/bin/vault.sh(Linux)
<RapidMiner Server installation path>/bin/vault.bat(Windows)
If you use Java 8 update 171 and higher you need adjust your vault and
standalone.conf files before you can store credentials as the keystore for JCEKS was modified in the recent version.
Adjust the last line of
vault.batto the following:
"%JAVA%" -jar "-Djboss.modules.system.pkgs=com.sun.crypto.provider" "%JBOSS_HOME%\jboss-modules.jar" -mp "%MODULEPATH%" org.jboss.as.vault-tool %*
evalline at the end of the
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=com.sun.crypto.provider"to the end of the
<RapidMiner Server installation path>/bin/standalone.conf
Create a Java keystore
To encrypt the passwords, the first step is to create a Java keystore to store the encryption key. The key will then be used to encrypt the vault. We’ll use the
keytool command located in your
$JAVA_HOME/bin folder. You can use the following command:
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -keystore /root/securefolder/vault.jks -storepass rapidminer -keypass rapidminer -dname "CN=MyName, OU=MyTeam, O=MyOrganization, L=MyLocation, ST=MyCity, C=US"
Please note that:
storetypeshould be "jceks".
keystore, set to
/root/securefolder/vault.jksin the example above, is any file name in a path that is accessible to the user running RapidMiner Server.
keypassmust be the same, because the vault tool requires it.
keysizeshould be 128 bits if the Java Cryptography Extension (JCE) is not installed. Alternatively, you can install the JCE and use 256 bits.
aliasis an arbitrary word, set to "vault" in the example. It identifies the private key entry in the keystore that is used for the encryption.
dnameparameter contains organizational data like name, location, city, country, etc.
Use the Vault Tool scripts to store a password in the vault
Once we have the private key, we can create the vault (the encrypted password database) using the command line tool (
vault.bat). The execution is interactive and it will request the location of the keystore (the path
/root/securefolder/vault.jks in the example above), the alias (“vault” in our example), its password, and a folder where the vault file will be stored. After providing this data, you can manage the passwords.
It’s also possible to create the vault and add a password in a non-interactive way:
bin/vault.sh -k /root/securefolder/vault.jks -p passwordForTheVault -e /root/securefolder -i 50 -s 12345678 -v vault -b blockName -a attributeName -x thisIsThePassword
The -s parameter is a “salt” (a seed) needed for the encryption and -v is the alias. The block and the attribute will later identify your password.
During the creation of the vault, you will get configuration fragments like this:
Please take note of the following:
Masked Password: MASK-1v6/ARucwcWaCt1l2FkYSH salt:12345678 Iteration Count:50
Please take note of the following:
Vault Block:blockName Attribute Name:mysql Shared Key:N2NhZDYzOTMtNWE0OS00ZGQ0L Configuration should be done as follows: VAULT::blockName::mysql::N2NhZDYzOTMtNWE0OS00ZGQ0L
Copy the output to the standalone.xml file
The output should be copied into the
standalone.xml configuration file (
<home directory>/configuration/standalone.xml) in the following way:
Every time a password is required in
standalone.xml, you should replace it by a token such as the one that appears above, as follows: