Storing database passwords in an encrypted format

For audit and security purposes, always store sensitive information, such as passwords, in an encrypted format.

About this task

There are other database-related scripts, for example:
  • Schema, company creation, and deletion scripts
  • Migration scripts
  • Maintenance scripts
    Note: The maintenance scripts require the argument dbpassword if the encrypt_password parameter is set to yes in the env_settings.ini file.
If the argument is not passed, you are prompted for the database password. If the encrypt_password parameter is set to no or is not set at all, you can run the scripts without the dbpassword argument. Depending on the value of the encrypt_password parameter, the db.xml file stores either the plain text password or encrypted password.

Procedure

  1. Add the encrypt_password parameter to the [db] section of the env_settings.ini file.
  2. Set the encrypt_password parameter to yes if you want the password to be encrypted.
    Note: If you do not want to encrypt the password, keep the password parameter, as is, in the [db] section.
  3. Run the bin/configureEnv.sh -dbpassword=<database password> command. You are prompted to enter the password if it is not given as an argument. For example, if the --overwrite option is not used, a warning displays asking that you to run the script with the dbpassword argument. If the encrypt_password parameter in the env_settings.ini file is not set or set to no, the dbpassword argument is not required for the configureEnv.sh script.
  4. Confirm that the script created the db.xml file in the $TOP/etc/default directory. This step is important because:
    • It is the only place from where the Java™ code can read the encrypted password or plain text password
    • The decrypted password can be used in a JDBC connection.
  5. Whenever any of the database-related properties in the [db] section of the env_settings.ini file are changed, run the bin/configureEnv.sh -dbpassword=<database password> command to re-create the db.xml file. You are prompted to enter the password if its not given as an argument. In this case, if the encrypt_password parameter in the env_settings.ini is not set or set to no, the dbpassword argument is not required for the configureEnv.sh script.
  6. Confirm that the script created the db.xml file in the $TOP/etc/default directory. This step is important because:
    • It is the only place from where the Java code can read the encrypted password or plain text password
    • The decrypted password can be used in a JDBC connection.
  7. With this change, if you create IBM® InfoSphere® Master Data Management Collaboration Server - Collaborative Edition schema, start create_schema. For example:

    bin/db/create_schema.sh -dbpassword=<database password>

    You are prompted to enter the password if its not given as an argument. If the encrypt_password parameter in the env_settings.ini file is not set or is set to no, the dbpassword argument is not required for the scripts.
  8. Run the bin/test_db.sh -dbpassword=<database password> command. You are prompted to enter the password if its not given as an argument. If the encrypt_password parameter in the env_settings.ini file is not set or is set to no, the dbpassword argument is not required for the scripts.

Last updated: 6 Sep 2017