...
| Note |
|---|
We strongly recommend that you use the latest version of Java. For versions before Java 1.8.0_151, you must install the JCE Unlimited Strength Jurisdiction Policy files. |
Java Keytool To be moved to the install database section.
To ensure the security of the login details for your phixflow database(s), you must configure:
- a keystore using the Java keytool. The actual username and password for the PhixFlow database are encrypted in the keystore.
phixflow-vault.xmlwith the information about the keystore- optionally, store the keystore password in an environment variable
- record the keystore alias for the database username and password in
phixflow-datasource.xml
I cannot see where the actual username is set?
Create a keystore using java keytool by running the command as
| Code Block |
|---|
keytool -importpass -alias <keyAlias> -keystore <keystoreFileName> -storetype <keytype> |
Where
- <keyAlias> specify the alias e.g. database-dev-build-user) and should be saved as it is used to fetch the secretKey
- <keystoreFileName>: specify the file name of the key store
<keytype> must be either PKCS12 or JCEKS.
For example
| Code Block |
|---|
keytool -importpass -alias name1 -keystore HidePW -storetype PKCS12 |
3. The Keytool prompts you set a password for the keystore file and to confirm it : "Enter Keystore password:" enter the master password for keystore. And re-enter the password.
4,Set the "Enter the password to be stored:" enter the username for database password.
5. Run the keytool command to import password to keystore e.g.
| Code Block |
|---|
keytool -importpass -alias database-prod-build-password -keystore phixflowvault -storetype PKCS12 |
Keytool will propmt to "Enter Keystore password:" which is the masterpassoword for keystore entered in above while importing username to keystore.
Now keytool will prompt for "Enter the passowrd to be stored:" which is the database password for user.
2.Add environment variable with value as keystore password and some variable name(This step can be skipped but then will need to mention masterkeystore password in phixflow-vault.xml see below step).
3.Edit phixflow-vault.xml
The PhixFlow webapp must be configured with phixflow-vault to use encrypted database password in phixflow-datasource.xml.
Edit phixflow-vault.xml and add values for below properties:
vaultType ( This value corresponds to the value we give while creating keystore for parameter -storetype it can be PKCS12 or JCEKS)
vaultUrl (keystore file url)
vaultKey (environment varaible name if we have setup it)
vaultPassword(In case we do not want to setup environment variable in step 2 we can directly provide the master password for keystore here)
4.Edit phixflow-datasource.xml
Make sure to have latest phixflow-datasource.xml
username: <keyAlias> value which we gave while running keytool for username we used in above steps e.g. database-prod-build-user
password: <keyAlias> value which we gave while running keytool for password we used in above stepse.g. database-prod-build-user
Example
PhixFlow database
- User name: db-admin
- password: xyz+123
Keystore file
- path: x/y/z
- name: HidePW
- password: hide-pass9
- type: PKCS12
Keystore contains
- user name: db-admin
- user alias: name1
- user password: xyz+123
- password alias: pw1
Environment Variable
- Name: keypass
- Value: hide-pass9
phixflow-vault.xml
- keystore
phixflow-datasource.xml
- username: name1
- password: pw1
The database user logs in and provides the username name1 and the password pw1.
phixflow-datasource asks phixflow vault where it can find the actual user credentials that match these aliases. PhixFlow vault knows where they are stored (vault url) and how to talk to the stor (vault type) It also has the password, either via vault password or the environment variable.
phixflow-vault.xml requests the actual username and password, which are returned to phixflow-datasource.xml. The actual user name and password are passed to the database, and the user can login.