Rundeck Oracle Database Password Encryption

[Sathish babu]

Hi Greg

Good Morning.

This is regarding on the rundeck access to the oracle database. I understand rundeck would require the user id and password to be configured in the "rundeck-config.properties" as plain text in order to access oracle database.

 

As per our security policy, it does not allow us to configure password as plain text So I just want to check any type of encryption that it support to keep password in the encrypted way as suppose to be in plain text.

 

Appreciate your response on this. Thank you.

Regards
Sathish

[Greg Schueler]

Hi Sathish,

If the oracle jdbc driver doesn't support encrypted password input, then you would have to use a technique such as is described here: http://stackoverflow.com/a/3338681/666481

Essentially, convert your rundeck-config.properties to a ".groovy" syntax file.  Rundeck can load this file instead of .properties, you just need to specify the correct path to locate the file for rundeck startup, such as /etc/rundeck/rundeck-config.groovy.

See these two FAQ questions:

1. How do I convert my config file to groovy?

2. How do I specify a a new config file location?

In the .groovy file, it has the full capabilities of the groovy language, and so you could replace the `password=plaintext` with  something like:

    password=decryptPassword("[ciphertext]")

You would have to construct the decryptPassword method elsewhere in the groovy file, and have it apply whatever mechanism you want to perform decryption.

Sathish

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Sathish babu]

Thanks Greg,

I'm trying to understand how to implement password logic using groovy configuration. Here is the code snippet give below and want to check with you where to place java class file. Can you please advice me on this.

Groovy Configuration

import my.company.encryption.BlowfishCodec

dataSource {

       username = "foo"

       password = "438uodf9s872398783r"

       passwordEncryptionCodec = BlowfishCodec

}

Encryption Logic in java

import java.security.*;

import javax.crypto.*;

import javax.crypto.spec.*;

class BlowfishCodec {

    static encode(target) {

        def cipher = getCipher(Cipher.ENCRYPT_MODE)

        return cipher.doFinal(target.bytes).encodeBase64()

    }

    static decode(target) {

        def cipher = getCipher(Cipher.DECRYPT_MODE)

        return new String(cipher.doFinal(target.decodeBase64()))

    }

    private static getCipher(mode) {

        def keySpec = new PBEKeySpec(getPassword())

        def cipher = Cipher.getInstance("Blowfish")

        def keyFactory = SecretKeyFactory.getInstance("Blowfish")

        cipher.init(mode, keyFactory.generateSecret(keySpec))        

    }

    private static getPassword() { "secret".toCharArray() }

   static void main(args) {

        if(args) {

            println encode(args[0])

        }

   }

}

 

[Greg Schueler]

Hi Sathish,

The easiest way is to produce a jar file, and then place it on the java class path before starting the server.

If you use the launcher you can put it in server/exp/webapp/WEB-INF/lib, or in the /var/lib/rundeck/exp/webapp/WEB-INF/lib directory (if you use rpm)

        }

   }

}