Skip to main content
Pentaho Documentation

Use password encryption with Pentaho

Parent article

This article is for IT administrators who have permissions to modify files on the server and the permission to stop and start the server. Perform these tasks when you want to enhance your company's security by encrypting the passwords that are currently stored as plain text in configuration files, for example, if you want to meet specific server security levels for regulatory compliance.

ImportantThese tasks are only for users who have a Pentaho 9.1 installation on their machines. If you upgraded from version 9.0, you must perform the additional tasks located in Post-upgrade tasks before encrypting your passwords.

As a best practice, stop the server before modifying configuration files, then start the server when finished. After you have configured a Pentaho product to use encrypted passwords, all logins with the Pentaho product will use the encrypted passwords. Connect to any databases that were edited to ensure all changes are correct.

Encrypted passwords are supported for the following applications:

You can also use encrypted passwords with JDBC security. See Switch to JDBC security.

Encrypting a password

Perform the following steps on the machine with the Pentaho Server to create an encrypted password.

Procedure

  1. Stop the server.

  2. At the command line, navigate to the server/pentaho-server directory.

  3. Run the encr.bat command for Windows or the encr.sh command for Linux as shown in the example below:

    encr -kettle <password>
    An encrypted password is created and displays in the console window.
    NoteYou must have a JRE or JDK installed to run this command.
  4. Restart the server and verify that the password is now using encrypted values.

Using encrypted passwords with Pentaho products

How you apply an encrypted password varies per what Pentaho product is in use.

Encrypted passwords with Pentaho Data Integration

Perform the following steps to use an encrypted password with Pentaho Data Integration (PDI).

Procedure

  1. Stop the server.

  2. Navigate to the design-tools/data-integration/simple-jndi directory.

  3. Open the jdbc.properties file with any text editor.

  4. Replace all instances of the password value with the encrypted password.

  5. Save and close the file.

  6. Restart the server and verify that all passwords are now using encrypted values.

Results

After you have configured an application to use encrypted passwords, all logins with the Pentaho application will use the encrypted passwords.

Next steps

Connect to any databases that were edited to ensure all changes are operating correctly.

Encrypted passwords with the Pentaho User Console

Perform the following steps to use an encrypted password with the Pentaho User Console (PUC).

Procedure

  1. Stop the server.

  2. Navigate to the server/pentaho-server/tomcat/webapps/pentaho/META-INF directory.

  3. Open the context.xml file in any text editor.

  4. Replace the password value in every Resource element with the encrypted password.

  5. Save and close the file.

  6. Restart the server and verify that all passwords are now using encrypted values.

Results

After you have configured an application to use encrypted passwords, all logins with the Pentaho application will use the encrypted passwords.

Next steps

Connect to any databases that were edited to ensure all changes are operating correctly.

Encrypted passwords with PUC email

After you have configured the Pentaho User Console (PUC) with an encrypted password, you can use that password with PUC email.

Perform the following steps to use an encrypted password with PUC’s email.

Procedure

  1. Log in to PUC as an administrator.

  2. Open the Administration Perspective and click the Mail server section.

  3. Enter your encrypted password value in the password field.

    NoteIf you use Gmail, the allow less secure apps to access your account option should be enabled.
  4. Click Test Email Configuration.

  5. Verify that an email was sent to the address you specified.

Encrypted passwords with the Pentaho Aggregation Designer

To use encrypted passwords with Pentaho Aggregation Designer, you must first centralize your passwords in a jndi.properties file.

Perform the following steps to use an encrypted password with the Pentaho Aggregation Designer.

Procedure

  1. Stop the server.

  2. Create a jndi.properties file to set the default properties using the following code:

    java.naming.factory.initial=org.osjava.sj.SimpleContextFactory
    org.osjava.sj.root=file://C:/Users/<username>/.pentaho/simple-jndi
    org.osjava.sj.delimiter=/
    
  3. Save the jndi.properties file in the design-tools/aggregation-designer/lib directory and close the file.

  4. In the user’s home directory, navigate to the .pentaho/simple-jndi directory and open the default.properties file with any text editor.

    1. If you do not have a default.properties file in the <user_HOME_folder>.pentaho/simple-jndi directory, then create a simple-jndi directory in the design-tools/aggregation-designer directory and create a default.properties file in that directory.

    2. Change the following jndi.properties file in the design-tools/aggregation-designer/lib directory to indicate the new location of the default.properties file as shown in the following example:

      org.osjava.sj.root=file://<install directory>/design-tools/aggregation-designer/simple-jndi
  5. Replace the password value in every property in the default.properties file with the encrypted password.

    NoteIf you are using a remote repository, you must change localhost to the correct IP address of the remote repository.
  6. Save and close the file.

  7. Restart the server and verify that all passwords are now using encrypted values.

Results

After you have configured an application to use encrypted passwords, all logins with the Pentaho application will use the encrypted passwords.

Next steps

Connect to any databases that were edited to ensure all changes are operating correctly.

Encrypted passwords with the Pentaho Metadata Editor

The Pentaho Metadata Editor (PME) stores a password in the default.properties file of the JNDI connection. For information about setting up a JNDI connection, see the article Define JNDI connections for Report Designer and Metadata Editor.

Perform the following steps to use an encrypted password with the PME:

Procedure

  1. Stop the server.

  2. In the user’s home directory, navigate to the .pentaho/simple-jndi directory.

  3. Open the default.properties file with any text editor.

    NoteIf you do not have a default.properties file in a <user_HOME_folder>.pentaho/simple-jndi directory, you must create one.
  4. Replace the password value in every property in the file with the encrypted password.

    NoteIf you are using a remote repository, you must change localhost to the correct IP address of the remote repository.
  5. Save and close the file.

  6. Restart the server and verify that all passwords are now using encrypted values.

Results

After you have configured an application to use encrypted passwords, all logins with the Pentaho application will use the encrypted passwords.

Next steps

Connect to any databases that were edited to ensure all changes are operating correctly.

Encrypted passwords with the Pentaho Report Designer

The Pentaho Report Designer (PRD) stores a password in the default.properties file of the JNDI connection. For information about setting up a JNDI connection, see the article Define JNDI connections for Report Designer and Metadata Editor.

Perform the following steps to use an encrypted password with the PRD:

Procedure

  1. Stop the server.

  2. Navigate to the design-tools/report-designer/configuration-template/simple-jndi directory.

  3. Open the default.properties file with any text editor.

  4. Replace the password value in every property in the file with the encrypted password.

    NoteIf you are using a remote repository, adjust the localhost address to the correct IP. Also, make sure you use the encrypted password for all occurrences of the password.
  5. Save and close the file.

  6. Copy the default.properties file from the design-tools/report-designer/configuration-template/simple-jndi directory to the .pentaho/simple-jndi directory in the user’s home directory and replace the existing default.properties file.

    NoteIf there is no existing <user_HOME_folder>.pentaho/simple-jndi directory, create the directory and copy the default.properties file into the directory that you create.
  7. Restart the server and verify that all passwords are now using encrypted values.

Results

After you have configured an application to use encrypted passwords, all logins with the Pentaho application will use the encrypted passwords.

Next steps

Connect to any databases that were edited to ensure all changes are operating correctly.