Password Encryption

Overview

openLooKeng manages configuration details in properties files of catalogs. These files may need to include values such as usernames, passwords and other strings, the password often required to be kept secret, that can’t be stored as plaintext. Here is a typical configuration file of a MySQL connector:

connector.name=mysql
connection-url=jdbc:mysql://localhost:3306
connection-user=root
connection-password=123456

openLooKeng can be configured to enable password encryption, these passwords will be encrypted.

Principle

The asymmetric encryption algorithm (RSA) is used for encrypting password.

principle

  • Public Key: for encryption, client can use public key to encrypt plaintext.
  • Private Key: for decryption, server store the private key as a keystore file in filesystem, and server can use private key to decrypt the ciphertext.

The user saves the public key and gives the private key to openLooKeng to decrypt the encrypted ciphertext.

The key suggested size of RSA is 3072 bits, the minimum is 2048 bits.

Configuration

To enable password encryption, you need add these properties in the etc/config.properties

security.password.decryption-type=RSA
security.key.manager-type=keystore
security.key.keystore-password=my-keystore-pwd
security.key.store-file-path=/openlookeng/keystore/keystore.jks
PropertyDescription
security.password.decryption-typeThe type of password decryption. Should be set to NONE or RSA.
security.key.manager-type=keystoreThe type of password encryption key storage. Should be set to keystore.
security.key.keystore-passwordThe password of keystore.
security.key.cipher-transformationsCipher.getInstance(transformations), the default value is ‘RSA/ECB/OAEPWITHSHA256AndMGF1Padding’
security.key.store-file-pathThe filesystem path of keystore file.

Use Case

Case 1. Create RSA key pair

You can use keytool to create a keystore, and get Public Key from the keystore, and use openssl to encrypt data with Public Key. And send the private key to openLooKeng server by restful api.

1. create a keystore, you have to use pkcs12:
keytool -genkeypair -alias alias -dname cn=openlookeng -validity 365 -keyalg RSA -keysize 2048 -keypass openlookeng -storetype jks -keystore keystore.jks -storepass openlookeng -deststoretype pkcs12

2. get Public Key from keystore, copy the public key into pub.key file:
keytool -list -rfc -keystore keystore.jks -storepass openlookeng | openssl x509 -inform pem -pubkey

3. use openssl to encrypt data with RSA/ECB/OAEPWITHSHA256AndMGF1Padding by Public Key:
openssl pkeyutl -encrypt -in data.txt -out result.en -pubin -inkey pub.key -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:SHA256 -pkeyopt rsa_mgf1_md:SHA256

4. get readable encrypted data by base64:
cat result.en | base64
after transfer the encrypted data by base64, you have to delete the '\n' from each line, and then you can get the final encrypted content.

5. private key 
keytool -v -importkeystore -srckeystore keystore.jks -srcstoretype jks -srcstorepass openlookeng -destkeystore server.pfx -deststoretype pkcs12 -deststorepass openlookeng -destkeypass openlookeng  
openssl pkcs12 -in server.pfx -nocerts -nodes -out private.key

the content of private.key is private key. 

6. import static catalog key pairs into keystore.jks (the keystore.jks is the value of security.key.store-file-path ) 
Assume the name of the static catalog is mysql001, we get public key from keystoer001.jks (the alias must be the same as the name of static catalog) and encrypt the data. so we should import keystore001.jks into keystore.jks. 
you can use these command bellow:
keytool -v -importkeystore -srckeystore keystore001.jks -srcstoretype jks -srcstorepass openlookeng -destkeystore server.p12 -deststoretype pkcs12 -deststorepass openlookeng -destkeypass openlookeng
keytool -importkeystore -deststorepass openlookeng -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass openlookeng -alias mysql001

Case 2. Dynamic Catalog

A http request has the following shape (MySQL connector as an example):

request: POST/PUT
header: 'X-Presto-User: admin'
form: '
    catalogInformation={
        "catalogName":"mysql",
        "connectorName":"mysql",
        "securityKey":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1Z4yap2cI1u6zg/R8vTcltOy8xxeOt/VG0xEArud+c5rI9h2kWy8Uo7hTFN/JapVDENT17fEzd+SqrlvcmD8ceDH07+OW2RRGcQjR0GKpKGSmubEHdH01xzpuQ1+m83B84Ir5eqcWx6QIwBPQsqqjeNpHhYdJLMpSrX1V+c7UUQIDAQAB",
        "properties":{
            "connection-url":"jdbc:mysql://localhost:3306",
            "connection-user":"root",
            "connection-password":"iRSxl1KNY06d34JGLooey0re4akzr+iJlTz1eCK1hEq8aYaX1SlzANCF7KTq6o2cF71OjINGvNjR0DXRed6gu3QYODw1Src0wiY0OvO9xfcffVt2rFvM/o238MJz1yhIcPn1BrrEgW5qVjzbbvzkS/fX+pTDqKNGAd3qefDLCuc=",
            "encrypted-properties":"connection-password",
        }
    }
'
  • securityKey: The private key.
  • connection-password: The ciphertext encrypted with private key.
  • encrypted-properties: The encrypted property names.

Check dynamic catalog for more information.

有奖捉虫

“有虫”文档片段

0/500

存在的问题

文档存在风险与错误

● 拼写,格式,无效链接等错误;

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 版本号不匹配:文档版本或内容描述和实际软件不一致;

● 对重要数据或系统存在风险的操作,缺少安全提示;

● 排版不美观,影响阅读;

内容描述不清晰

● 描述存在歧义;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

内容获取有困难

● 很难通过搜索引擎,openLooKeng官网,相关博客找到所需内容;

示例代码有错误

● 命令、命令参数等错误;

● 命令无法执行或无法完成对应功能;

内容有缺失

● 关键步骤错误或缺失,无法指导用户完成任务,比如安装、配置、部署等;

● 逻辑不清晰,该分类、分项、分步骤的没有给出

● 图形、表格、文字等晦涩难懂

● 缺少必要的前提条件、注意事项等;

● 描述存在歧义

0/500

您对文档的总体满意度

非常不满意
非常满意

请问是什么原因让您参与到这个问题中

您的邮箱

创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。
有奖捉虫