Configuring MettleCI Workbench to use 'secrets' to improve security of HTTPS connections
The process of configuring MettleCI Workbench to use HTTPS requires you to record HTTPS connection configuration, including the password to the MettleCI Java KeyStore and TrustStore (which are often the same store), in plain text in the config.yml file. Access to the config.yml file is protected by your environment’s file system security by providing access permission only to the owning user account (typically mciworkb) and root. Despite this, the presence of plain text credentials may contravene an organisation's security restrictions, and so in these instances you can add a further layer of security by configuring MettleCI Workbench to use secrets (as described) to secure SSL certificate-related passwords when it is configured to communicate with Git over HTTPS.
Note that the approach described here adds a layer of security by introducing a layer of indirection which, ultimately, does not make the passwords more secure as any operating system user account that has access to config.yml almost certainly has access to the secrets directory in which the sensitive data is stored. Indeed, the user account executing the MettleCI Workbench service must have access or the service will fail to start.
Configuration
To use secrets start by creating a secrets directory as described in Configuring MettleCI Workbench to communicate with Git over HTTPS, or use the one that was created by the MettleCI Workbench installation wizard.
Next, place your password to the MettleCI Java KeyStore in a plaintext file in that directory, being careful not to use a filename already in use.
Next, alter your MettleCI config.yml file to introduce a reference to the Java KeyStore using a value which uses a special indirection format: ${file:UTF-8:/opt/dm/mci/.secrets/ssh-keystore-password}
Here’s an example using an applicationConnector, but an adminConnector will also work the same way. Change confg.yml…
From this | To this |
|---|---|
---
mettleHome: "/opt/dm/mci"
server:
applicationConnectors:
- type: https
port: 8443
keyStoreType: "PKCS12"
keyStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
keyStorePassword: "mySecretPassword"
trustStoreType: "PKCS12"
trustStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
trustStorePassword: "mySecretPassword"(where | ---
mettleHome: "/opt/dm/mci"
server:
applicationConnectors:
- type: https
port: 8443
keyStoreType: "PKCS12"
keyStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
keyStorePassword: ${file:UTF-8:/opt/dm/mci/.secrets/ssh-keystore-password}
trustStoreType: "PKCS12"
trustStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
trustStorePassword: ${file:UTF-8:/opt/dm/mci/.secrets/ssh-keystore-password} where |
Some notes and cautions
The above example uses the default install directory.
The secrets directory is the same directory the MettleCI Workbench installation wizard created (for use with Git) which is a subdirectory of the install directory.
Although it may seem that double quotes around the
${}filename would theoretically work, leave the string unquoted (as shown here) or it may fail and produce entries in themci.logsuch as the followingfailure to decrypterror.
ERROR [2022-12-12 13:42:54,985] io.dropwizard.cli.ServerCommand: Unable to start server, shutting down
! java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException:
Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
<SNIP>© 2015-2024 Data Migrators Pty Ltd.