Month: May 2013

Cloudstack db.properties password encryption

I was once asked to update the db password in the db.properties files in Cloudstack. I kind of knew the guy who asked me was still in Cloudstack 2.2 land where passwords were in plain old text, but as of Cloudstack 3.x, the passwords in db.properties file and other passwords for that fact are encrypted. Lets have a closer look at the db.properties file.

The following file on each cloudstack and cloudplatform server contains the db connection details

/etc/cloud/management/db.properties

In this file there is information about the db username and password details.

# CloudStack database tuning parameters
db.cloud.password=ENC(57nNfvJaN9X54lbJi0pjugc9YylyRo8c)
db.cloud.username=cloudadmin
db.cloud.host=10.0.26.16
db.cloud.validationQuery=SELECT 1
db.cloud.testOnBorrow=true

In cloudplatform and cloudstack version 3 +, the db.cloud.password is encrypted. To change this, run the following file to work out the encrypted password

java -classpath /usr/share/java/cloud-jasypt-1.8.jar 
org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI 
encrypt.sh input="Password12" 
password="$(cat /etc/cloud/management/key)" verbose=true

Where

input=Password12

is the password you wish to encrypt.

The output should look something like this.

$ java -classpath /usr/share/java/cloud-jasypt-1.8.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI encrypt.sh input="Password12" password="$(cat /etc/cloud/management/key)" verbose=true

----ENVIRONMENT-----------------

Runtime: Sun Microsystems Inc. OpenJDK 64-Bit Server VM 20.0-b12

----ARGUMENTS-------------------

verbose: true
input: Password12
password: password

----OUTPUT----------------------

57nNfvJaN9X54lbJi0pjugc9YylyRo8c

The 57nNfvJaN9X54lbJi0pjugc9YylyRo8c is the encrypted password for Password12. Use this as the new password in the db.properties file

If you wish to decrypt the password, run the following command:

java-classpath/usr/share/java/cloud-jasypt-1.8.jar org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI decrypt.shinput="57nNfvJaN9X54lbJi0pjugc9YylyRo8c"  password="$(cat /etc/cloud/management/key)"verbose=false

The password is then displayed, in this case Password12