Overview
To keep the database username and password secure, PhixFlow is configured to use a keystore file. The database account credentials are encrypted and stored here, along with aliases. You can then use the aliases to retrieve each secret username and password from the keystore.
To configure the keystore, you will use the Java keytool -importpass command at the command line.
Keytool Syntax
For reference, here is the full syntax and the values you will need to use. The steps below provide example commands.
| Code Block |
|---|
<keytool> -importpass -alias <keyAlias> -keystore <pathToKeystoreFile> -storetype <keytype> |
...
| Where: | Is | |
|---|---|---|
| Windows command prompt | |
| Windows PowerShell | | |
| Linux | | |
| The alias for a username or password. The phixflow-secret.xml configuration file refers to the After you enter an alias, the keytool The keytool prompts you to enter the corresponding username or password. This is the actual value that the database requires to permit access. | |
| <pathToKeystoreFile> | The full path to the keystore file, for example:
| |
| <keytype> | either Either PKCS12 or JCEKS. | |
| Tip |
|---|
The keytool does not differentiate between the secrets it stores . It so it always prompts for a password, but . Sometimes you may will need to enter a username and others a password. The following instructions state what information explain which you need to enter. |
How to Set up a Keystore
...
| Code Block |
|---|
$JAVA_HOME/bin/keytool -importpass -alias pdbdevphixflow-database-user -keystore /opt/secure/hidden.jks -storetype PKCS12 |
1.2 When prompted, enter a the password you want to use for the keystore file, then re-enter to confirm it.
...
2.2 When prompted, enter the password for the keystore file. This is the same password you assigned to the keystore set in step 1.2. This time the password opens the keystore.
...
| Required? | Property | Value | Example |
|---|---|---|---|
| Required | keystoreType | The type of the keystore, either PKCS12 or JCEKS |
|
| Required | keystoreFile | The path to the keystore. |
|
| Either (recommended) | keystorePassEnvironmentVariable | The name of the environment variable. Use |
|
| Or | keystorePass | The password for the keystore. Use |
|
| Warning |
|---|
On startup, PhixFlow checks that there is one password mechanism, either |
Understanding How PhixFlow Uses A Keystore
...
- phixflow-datasource.xml stores alias credentials for the database. It requests actual credentials from phixflow-secret.xml.
- phixflow-secret.xml asks the keystore for the actual credentials.
- The keystore password is configured as an environment variable This file stores the location of the keystore file and optionally its password (2a in the diagram below).
- Alternatively, phixflow-secret.xml stores the location of the keystore password is configured as an environment variable file and optionally its password (2b in the diagram below)
- The keystore file returns the actual account credentials to phixflow-secret,
- which, in turn, passes the actual credentials to phixflow-datasource.xml.
- phixflow-datasource.xml then uses the actual credentials to log into the database, so that PhixFlow can update it.
This is shown in the diagram below.
Figure 1: How 
How PhixFlow authenticates to its database using a keystore
| Details used in the diagram | ||
|---|---|---|
| Keystore file name | hidden.jks | |
| Keystore password | storepw | |
| Environment variable name | KEY_PASS | |
| Environment variable value (the keystore password) | storepw | |
| PhixFlow database credentials | Username | Password |
| Actual |
| P*59word |
| Alias | phixflow-database-user | phixflow-database-password |
...