Passwords, mostly configured in Metadata by users, are encrypted to not appear in clear in the delivery files or in the logs for instance.
The key used by a Stambia DI Runtime to encrypt or decrypt passwords can be customized in configuration files.
This article demonstrates how to configure the Stambia DI Runtime to change it.
This article is dedicated to Stambia DI S20 and higher.
Please refer to this article if you are using Stambia DI S17, S18, S19
Limitations
At the moment the key can be changed in Stambia DI Runtime only.
Stambia DI Designer and Stambia DI Production Analytics does not support yet generating deliveries using a custom key.
When the password cyphering key is changed in the Stambia DI Runtime, you must produce your deliveries using the builddelivery.bat / builddelivery.sh scripts.
The idea is to generate the package from the Stambia Di Designer, extract the configuration with the builddelivery.bat / builddelivery.sh scripts, specify the newly encrypted password in, and build the delivery with this configuration.
To generate the newly encrypted password, connect to the Stambia DI Runtime and use the "encrypt" command (see the reference documentation for further information about using commands in the Stambia DI Runtime.)
About the keys
The custom key that will be used to replace the default one must be placed inside a Java keystore. This key must be generated as following:
keytool -genkey -alias <dummykey> -keystore "<path to keystore>/<keystore file name>.jks"
The keystore must then be specified in the Stambia DI Runtime as explained in the following article.
Changing the key for password cyphering will then be as simple as defining which of the specified key should be used for that.
Configuration
The parameter defines a custom key for password encryption in the Runtime.
When the keystores are defined, simply uncomment the following parameter to customize the key used for password ciphering.
<parameters>
<...>
<engineParameters>
<...>
<parameter name="globalPasswordCipheringKeyName" value="runtimekey"/>
<...>
</engineParameters>
<..>
</parameters>
On versions prior to Stambia DI 20.3, this parameter was named "passwordCipheringKeyName". If you are using a prior version, please use this name instead.
A parameter called "deliveryPasswordCipheringKeyName" allows to define a key which will be used only for delivery passwords, it will be applied only when encrypting / decrypting password for deliveries.
<parameters>
<...>
<engineParameters>
<...>
<parameter name="deliveryPasswordCipheringKeyName" value="runtimekey"/>
<...>
</engineParameters>
<..>
</parameters>
Prerequisites:
- Stambia DI Runtime S20.3 or higher
Example of corresponding keystore configuration:
<keystores>
<keystore path="D:/keystores/keystore.jks" password="password" type="JKS">
<key name="runtimekey" alias="key01" password="password"/>
</keystore>
</keystores>