Components that are required to authenticate against a database or another repository need to have user credentials specified in configuration files. Such sensitive information can be encrypted so that the actual value of the password will be known only during runtime; protecting Aspire from potential malicious attacks.
On this page:
In general, when using pre-packaged applications and the standard Aspire Admin interface (i.e. http://localhost:50505), all password encryption will be handled automatically. All passwords will be encrypted when stored in configuration files on disk, ZooKeeper, MongoDB or HBase.
All password encryption / decryption is based on a master password. Use the following steps to create a new random master password:
Notes:
Important security concern
If you skip this step, all the encryption on Aspire will use the default master password, which comes with all Aspire Distributions, so all your encrypted passwords would be exposed to be decrypted in any other Aspire Distribution. Using a Master Password is extremely important for avoiding this exposure.
If you want to secure Aspire access to the Administration UI using the ConfigFile method, the best and most secure way is by encrypting the passwords. For this need to do the following:
<authentication> <type>ConfigFile</type> </authentication>
Change passwords
If you need to create a new set of passwords, you must go to the settings.xml file and remove the "adminPassword" and "developerPassword" properties from the System Properties section before re-running the bin\aspire.bat -set_passwords script.
If you are creating a custom application which requires password encryption, you may need to use the "encryptPassword" script.
To use password encryption, follow these instructions: