Using Encrypted Configurations
RACE supports encrypted configuration values for sensitive information such as user credentials. To use encryption, follow these steps:
(1) create plain text config file with sensitive data
This is a normal configuration file. The toplevel node has to be "secret {..}", but all other keys can be chosen freely, those will be later-on referenced as config values in the universe configs:
//------ crypt: encrypted configuration values
secret {
swim.user = "gonzo"
swim.pw = "mysupersecretpassword"
...
}
Store this file in the RACE root directory as conf
(2) encrypt file
RACE comes with a CryptConfig
application and a respective wrapper script,
which is executed like this:
> script/encryptconfig conf
When asked, enter a passphrase (and remember - it is not stored anywhere). This
will create a encrypted file conf.crypt
and delete the plain text conf
file.
The encryptconfig
tool also supports a --keep
command line option to keep the
input file. If the option is not specified, the un-encrypted input file will be deleted.
Values in the encrypted file will be double-encrypted and are never stored as plain text during RACE execution
(3) use encryption keys in universe/satellite config values
The keys from step (1) are used as ??
prefixed values in the respective
config files, e.g.
//--- myuniverse.conf : sample universe config
...
user = "??swim.user"
pw = "??swim.pw"
...
(4) run RACE
When executing RACE, use the --vault <path>
option to specify which encrypted config file to use
> ./race --vault conf.crypt config/myuniverse.conf
The system will prompt you for the same pass phrase that was entered in step (1). If the user enters a wrong pass phrase, or takes too long to enter it, RACE will terminate immediately.
NOTE *.crypt
files are not kept in the repository, they are filtered by .gitignore
using keystores
Both encryptconfig
and race
also support the use of a keystore file for vault encryption/decryption,
such as in
> ./race --vault conf.crypt --keystore race.ks --alias mykeyname someconfig.conf
KeyStores can be created with the standard keytool that is distributed with Java, and should have a store type of "JCEKS". Keys used for vault encryption have to be "AES" keys. A sample use would be
> keytool -genseckey -alias mykeyname -keystore race-ks -storetype jceks -keyalg AES -keysize 256
If a keystore is specified, RACE will ask for the keystore password instead of the vault password
typical example
Encrypted configuration is typically used by the PortForwarder
and JMSImportActor
actors in order
to specify access to gateways and JMS servers. This generally works by first establishing a ssh
session to a gateway through which respective ports for JMS servers are forwarded. Both URLs and
credentials for the gateway and JMS server should be protected. As the highest value asset, the
PortForwarder
interactively queries the password for the gateway which is never stored in
the configuration file:
...
{ name = "portMapper"
class = ".actor.PortForwarder"
user = "??gw.user"
host = "??gw.host"
forward = "??gw.forward"
}, ...
{ name = "sfdps-jmsImporter"
class = ".jms.JMSImportActor"
broker-uri = "??swim.uri.sfdps"
user = "??swim.user"
pw = "??swim.pw"
write-to = "/swim/sfdps"
jms-topic = "<jms-topic>"
},...
The respective vault file in clear text looks like this:
gw {
forward="<source-port>:<destination-host>:<destination-port>,..."
host="<gateway-hostname>"
user="<gateway-userid>"
}...
swim {
pw="<jms-password>"
uri {
sfdps="tcp://localhost:<source-port>" // via port forwarding from gateway
...
}
user="<jms-userid>"
}...