How to avoid storing password in Gemfire properties files
search cancel

How to avoid storing password in Gemfire properties files

book

Article ID: 294360

calendar_today

Updated On:

Products

VMware Tanzu Gemfire

Issue/Introduction

Gemfire 8.x introduced a password encryption/decryption utility which helped to encrypt the plain text password in the Gemfire properties files. But Gemfire removed this feature since Gemfire 9.2 due to a security concern (GEODE-1958).

Environment

Product Version: 9.9

Resolution

You can achieve the same result as with the previous Gemfire encryption/decryption utility by using decryption modules such as OpenSSL before applying the password when starting locators or servers by gfsh with specified parameter like “--J=-Dgemfire....“.

The below example is for Linux/UNIX based system on cluster-ssl-keystore-password:
#! /bin/sh 
PASSWORD=$([command to decrypt your encrypted password])
gfsh start server .... --J=-Dgemfire.cluster-ssl-keystore-password=$PASSWORD......
If you choose OpenSSL to decrypt/encrypt your password, then you could achieve the goal by the following steps:
  • create a private key: 
    $ ssh-keygen
  • create an encrypted password applying the private key: 
    echo 'password-string' | openssl rsautl -encrypt -inkey ~/.ssh/id_rsa > password.rsa
  • from the start script, decrypt the encrypted password: 
    #! /bin/sh 
PASSWORD=$(openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in password.rsa) 

gfsh start server .... --J=-Dgemfire.cluster-ssl-keystore-password=$PASSWORD ......


Powered by Wolken Software