Secrets in Configuration
When setting up a Cadenza installation, there are several places where secrets need to be configured. Secrets are private keys or credentials for authentication, such as a database password or a client secret for using an OpenID identity provider.
Cadenza employs an encoding scheme for passwords to protect against accidentally revealing a password. Additionally, secrets can be passed in environment variables, system properties or Cadenza variables which are referenced in the respective settings. Variable expansion happens before decoding, so a variable reference should be written verbatim, but the variable content encoded.
The encoding scheme is not cryptographically secure, and you should restrict access to configuration files and variable storage containing such secrets nevertheless.
Configuring the Handling of Secrets
Depending on the deployment structure, such an encoding might not fit your needs, for example when secrets are already stored as Kubernetes secrets and would need to be encoded specifically when starting Cadenza.
Unless specified otherwise, Cadenza expects all secrets to be encoded.
For more information, see the secretHandling option in core settings.
Encoding Secrets with the Disy Password Encoder
Unless you chose the pass-through processor, to prepare your configuration, you will have to encode your secrets using the Disy password encoder.
The easiest way to do so is through a temporary docker setup.
Please substitute your_plaintext_password with the actual secrets you want to use.
|
Throughout this documentation, we will use the_disy_encoded_password to refer to a secret that has been encoded with the Disy password encoder.
|
Use the following command to encode your secret(s):
In a Docker Environment
docker run --rm registry-ext.disy.net/cadenza/cadenza-web:9.4-release java -cp '/cadenza/WEB-INF/lib/*' de.disy.lib.tools.PasswordEncoder your_plaintext_password| You will need credentials (username/password) to be able to pull the CadenzaWeb-Image from the disy Registry. Please get in touch with your account representative to receive these credentials. |