Skip to main content

Pentaho+ documentation has moved!

The new product documentation portal is here. Check it out now at docs.hitachivantara.com

 

Hitachi Vantara Lumada and Pentaho Documentation

AES security

Parent article

There are two ways to secure passwords in PDI: Kettle obfuscation or Advanced Encryption Standard (AES). Kettle obfuscation is applied by default, or you can use AES to increase security. The password security method you choose is applied to all passwords including those in database connections, transformation steps, and job entries.

To learn more about AES, see http://en.wikipedia.org/wiki/Advanced_Encryption_Standard.

NoteIf you switch password security methods, all existing passwords will also use the new method.

Install the Java Cryptography Extension (JCE)

To use 192-bit or 256-bit encryption strengths, you must install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files. If you only want to use 128-bit encryption, proceed to Create an AES key file.
NoteCountry restrictions may apply when using higher encryption strengths. To learn more about the JCE, see the Oracle site.

Procedure

  1. Back up the files in your lib/security folder for the instance of Java that your instance of Pentaho is using. The exact location of the folder depends on whether you are pointing to a standalone version of the JDK or JRE, or whether you are using the version of Java that is bundled with the Wizard.

    • Wizard: <pentaho installation directory>/java/lib/security
    • JDK: <java jdk installation directory>/jre/lib/security
    • JRE: <java jre installation directory>/lib security
  2. Download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" from the Oracle website:

    Make sure that you download the version of the JCE that corresponds with your Java version. For example, if you are using Java 8, download JCE 8. See the Components Reference for the version of Java that Pentaho supports.
  3. Stop the server.

  4. Unzip the JCE files and copy the local_policy.jar and US_export_policy.jar files into the lib/security folder.

  5. Restart the server.

  6. Create the AES key file.

Create an AES key file

The key file is a text file that contains the encryption key.

Procedure

  1. Create a text file that contains a key phrase, such as!@ExampleKey#123.

    Leading and trailing white spaces are ignored.
  2. Save and close the file.

    NoteSafeguard the key file. If the key file becomes corrupted or lost, passwords cannot be decrypted.

Specify AES variables in kettle.properties

Set AES-specific variables in the kettle.properties file for Spoon, the Pentaho Server, and any clusters.

Procedure

  1. Open the kettle.properties file for Spoon. By default, the kettle.properties file is in the user’s home directory.

  2. Add the following variables and values.

    VariableDescriptionValue
    KETTLE_PASSWORD_ENCODER_PLUGIN

    Required

    Indicates the type of plugin used.

    AES
    KETTLE_AES_KEY_FILE

    Required

    Indicates the path to the key file.

    Path to the key file. Relative paths are resolved against the Kettle working directory, NOT the location of the kettle.properties file. Example: c:/securearea/keyfile.txt
    KETTLE_AES_KETTLE_PASSWORD_HANDLING

    (Optional)

    Maintain backwards compatibility by setting this variable to Decode. If this is not set, Kettle encoded passwords are not decoded.
    DECODE
  3. Save and close the kettle.properties file.

  4. Repeat this process for other kettle.properties files on the Pentaho Server and cluster nodes.

  5. You might need to stop and restart Spoon, Pentaho Server, and the cluster nodes for the kettle.properties file to take effect.

Verify correct application

After you have applied AES Password encryption, test to make sure it works properly:

Procedure

  1. Start Spoon.

  2. Create a blank transformation.

  3. Add a database connection that requires a password.

  4. Save, then close the transformation.

  5. Use a text editor to open the transformation you just saved, then search for the name of the connection you created.

  6. Examine the password.

    If the password is preceded by the letters AES, the encryption was applied correctly.
  7. Close the transformation.