Overview
PhixFlow uses a Java keystore and associated secret service for data that needs to be secure. When PhixFlow is installed, the keystore is created and the username and password for the PhixFlow database are added. The instructions for this are in Configure a Keystore for Database Credentials.
Additional details that we recommend you store in the keystore are:
- a pepper key used to encrypt local user passwords
- where external authorisation is required, usernames and passwords for:
You can then use an alias or key to retrieve the data from the keystore.
Adding Data to the Keystore
To add data to the keystore, use the Java keytool -importpass line command. From a command prompt:
- Enter the
-importpasscommand, specifying an alias/key. - When the keytool prompts, enter the keystore's password.
- When the keytool prompts again for a "password", enter the data, usually a user name or password.
For example:
- The keystore is called
secret.jks... what's our default called ... - The keystore password is
secretpass - The datasource instance details you want to store are:
- username
sqluser, wth the keydb1 - password
x34!2axfwith the keydb1pass
- username
Windows example:
Pepperkye
If you have local users you also need to set up a Pepperkey
Wikipedia article on Pepper Encrytption
Datasource instances or email
todo
Keytool Syntax
For reference, here is the keytool command syntax.
<keytool> -importpass -alias <key> -keystore <file> -storetype <type>
| Where: | Is | |
|---|---|---|
| Windows command prompt | |
| Windows PowerShell | | |
| Linux | | |
| The alias/key for a username or password. After you enter an alias, the keytool prompts you to enter the corresponding data, usually a username or password. | |
| <file> | The full path to the keystore file, for example:
| |
| <keytype> | PKCS12 (recommended) or JCEKS. | |
The keytool does not differentiate between the secrets it stores so it always prompts for a "password". Sometimes you will need to enter a username and others a password.
Understanding How PhixFlow Uses A Keystore
This section illustrates how PhixFlow uses a keystore to access its own database.
When PhixFlow is running, it provides the account credentials to its database as follows:
- phixflow-datasource.xml stores alias credentials for the database. It requests actual credentials from phixflow-secret.xml.
- phixflow-secret.xml asks the keystore for the actual credentials.
- The keystore password is configured as an environment variable This file stores the location of the keystore file and optionally its password (2a in the diagram below).
- Alternatively, phixflow-secret.xml stores the location of the keystore file and optionally its password (2b in the diagram below)
- The keystore file returns the actual account credentials to phixflow-secret
- which, in turn, passes the actual credentials to phixflow-datasource.xml.
- phixflow-datasource.xml then uses the actual credentials to log into the database, so that PhixFlow can update it.
This is shown in the diagram below.
How PhixFlow authenticates to its database using a keystore
| Details used in the diagram | ||
|---|---|---|
| Keystore file name | hidden.jks | |
| Keystore password | storepw | |
| Environment variable name | KEY_PASS | |
| Environment variable value (the keystore password) | storepw | |
| PhixFlow database credentials | Username | Password |
| Actual |
| P*59word |
| Alias | phixflow-database-user | phixflow-database-password |