Details
-
Task
-
Resolution: Done
-
Major - P3
-
None
-
None
-
None
Description
NOTE: Please make this change in both "master" and the "1.2" branch.
Currently, this section says:
--------
Unfortunately, this does require the plaintext credentials be in the clear, however following standard practice you may reduce the permissions of the configuration file:
--------------
that's no longer true.
It is now possible to encrypt the authentication credentials as follows:
cd <install_dir>
bin/credentialstool --username USERNAME --password
<enter the password>
<see output which contains encrypted credential pair>
Please copy this credential pair into the MongoURI connection strings of
your [install-dir]/conf/conf-mms.properties where needed. Additionally,
for each MongoURI connection string using encrypted credentials, please
add the following configuration option which will indicate to MMS that
the credentials are set as encrypted tokens:
mongo.[database-name-here].encryptedCredentials=true
E.g.,
mongo.mmsdb.mongoUri=mongodb://ENCRYPTEDUSERNAME:ENCRYPTEDPASSWORD@127.0.0.1:27017/?maxPoolSize=60&connectTimeoutMS=10000&socketTimeoutMS=10000&waitQueueTimeoutMS=10000
mongo.mmsdb.encryptedCredentials=true
Please also be sure to adjust the following two properties:
distributed.lock.mongoUri
app.mongoUri.systemRrd1
and add
distributed.lock.encryptedCredentials=true
app.encryptedCredentials=true