solidDB Help : solidDB reference : High Availability Controller (HAC) configuration parameters : Security Considerations
  
Security Considerations
Encrypting Passwords
HAC configuration file typically includes database and HAC credentials. Encrypting passwords makes it possible to set passwords in such a way that they are not stored in configuration files in plain-text format.
solidDB provides three alternative ways to do this.
1 Automatic encryption
Users can write plain-text passwords to solidhac.ini and leave HAController.AutoEncryptPasswords=Yes (default). Starting HAC automatically reads plain-text passwords, encrypts them and overwrites plain-text passwords in solidhac.ini with encrypted ones.
2 One-time encryption
Users can write plain-text passwords to solidhac.ini and run
solidhac -x encrypt-and-exit
which only reads plain-text passwords, encrypts them, overwrites plain-text passwords in solidhac.ini with encrypted ones and exits.
Next, the user can start solidhac normally. HAC reads the configuration file, finds and reads encrypted passwords, and decrypts them in memory to be used in database connections.
3 Manual encryption
Encrypt a plain-text password and copy it to solidhac.ini. User can use solidhac for encrypting plain-text password as follows:
solidhac -x encrypt:<plain-text pwd>
which prints the corresponding encrypted version of the password to the screen and exits. The encrypted password can then be copied to the solidhac.ini.
HAC supports these options:
By default the password parameters in solidhac.ini, Password, DBPassword, and ApplicationConnTestPassword, will be encrypted when HAC starts, replacing the plain text information in solidhac.ini. This can be disabled by setting HAController.AutoEncryptPasswords=No.
HAC started with the command line option "-x executeandexit" will encrypt the passwords and exit. This way solidhac.ini will not need changing later when HAC is started.
HAC started with the command line option "-x encrypt:PASSWORD" will encrypt PASSWORD, print it to stdout (the terminal by default) and exit. This encrypted password can then be put in solidhac.ini manually.
solidDB server supports these options:
By starting solid with the command line options "-x encryptandexit" and "-x pwdfile:PWDFILE", solid will encrypt the password in PWDFILE and exit.
solid command line options "-P", "-x pwdfile" and "-x keypwdfile" all can handle encrypted passwords.
The format for encrypted passwords is that any encrypted password will have a "encrypted:" prefix followed by the data. Also supported is "plain:" prefix which can be used to designate that the password has not been encrypted.
Note HAC can only use passwords HAC has encrypted and solid can only use passwords solid has encrypted. HAC encrypted passwords start with "0h" and solid passwords with "0s".
Go up to
High Availability Controller (HAC) configuration parameters