Secure storage and database credential storage
Data360 Analyze requires two credentials to startup the application: the Secure Store password and the application database password. The Secure Store is the local key store which stores the keys used by the application for encrypting sensitive data and objects within the application e.g. dataflow password properties. The application database is the pre-configured Postgres database that is installed with Data360 Analyze which stores all of the application related data: dataflows, library nodes, etc.
These two credentials can be stored in a number of different ways:
- As encrypted properties in the <site-dir>/conf/cust.prop file. (Default)
- Externally and provided manually during application start up via HTML form or via REST API call. (Secure store only)
- Externally in a 3rd party Key Management System (KMS). Only Azure Key Vault Secrets are supported at this time.
The storage for each credential can be configured independently, so combining methods is allowed and maybe preferable. For example, the default networking configuration for the application database is to only allow connections from localhost, therefore if it satisfies security requirements, the database password can be stored as an encrypted property, but the Secure Store can pull from a KMS.
Note that in all of the cases above the credentials need to be updated with the component - Secure Store or application database - and then independently manually updated in the storage.