Security Features|V4.3.4.1| docs|Distributed Database

By default, OBLOADER & OBDUMPER can run after you explicitly specify sensitive information such as the password on the command line. To enhance information security, OBLOADER & OBDUMPER V4.2.0 and later provide methods to encrypt and decrypt sensitive information on the command line.

Use secure-gen to encrypt information

Install OpenSSL and configure environment variables.

Note

To use secure-gen to encrypt information, you must install the OpenSSL toolkit. For more information, see View the help information of secure-gen following this section.
Verify that OpenSSL has been installed.
```
$ which openssl

/usr/bin/openssl
```

Encrypt sensitive information files in the local path.

./secure-gen -n <file_path>

Note

Sensitive information files must meet the specifications described in Properties File Format. You can also edit the sensitive information to be encrypted in the CLI.

Run the following command in the {ob-loader-dumper}/tools/ directory.
```
./secure-gen -i
```

Edit the parameters to be encrypted in the CLI and then enter :wq to save and exit.

# Input the sensitive fields below in plain-text respectively.
# Note you can leave any of them as blank, ob-loader-dumper will parse from cli args first, and override any field if there is a conflict.
#   
# Database password.
oceanbase.jdbc.password=******
# Database password for sys tenant.
oceanbase.jdbc.sys.password=******
# Access key for cloud storages like OSS & S3.
cloud.storage.access.key=******
# Secret key for cloud storages like OSS & S3.
cloud.storage.secret.key=******  

:wq

The following table lists the sensitive parameters that can be encrypted by OBLOADER & OBDUMPER.

Parameter	Description
oceanbase.jdbc.password	Optional. The password of a user under a business tenant in OceanBase Database, which is the value specified by the command-line option `-p(--password)`.
oceanbase.jdbc.sys.password	Required. The password of a user under the sys tenant in OceanBase Database, which is the value specified by the command-line option `--sys-password`.
cloud.storage.access.key	Optional. The AccessKey ID used to access a cloud storage service such as Amazon Simple Storage Service (S3) or Alibaba Cloud Object Storage Service (OSS). The value is specified by the command-line option `-f`.
cloud.storage.secret.key	Optional. The AccessKey secret used to access a cloud storage service such as Amazon S3 or Alibaba Cloud OSS. The value is specified by the command-line option `-f`.

Choose whether to use an existing key as prompted.

$ ./secure-gen
Detected that a key already exists, do you want to use it? 
If not, a new key will be generated and overwrite the existing key (y/n):

Enter n to regenerate a key pair by using OpenSSL. By default, the key pair is stored in <Root directory of the user>/.loaddump/secure/. By default, the public key file is key.pem.pub, and the private key file is key.pem.

Detected that a key already exists, do you want to use it? 
If not, a new key will be generated and overwrite the existing key (y/n): n
Generating RSA private key, 4096 bit long modulus
............++
.......................................................++
e is 65537 (0x10001)
writing RSA key

The key pair has been generated under the directory /Users/chang/.loaddump, please keep it safe.
The encrypted file /Users/chang/.loaddump/secure/secure.rsa has been generated for sensitive information.

If you want to use it, please fill in the corresponding content in conf/decrypt.properties properly.

Enter y to use an existing key pair. OBLOADER & OBDUMPER loads the key pair from <Root directory of the user>/.loaddump/secure/ and generates an encrypted file, for example, secure.rsa.

Detected that a key already exists, do you want to use it? If not, a new key will be generated and overwrite the existing key (y/n): y
The encrypted file /Users/chang/.loaddump/secure/secure.rsa has been generated for sensitive information.

If you want to use it, please fill in the corresponding content in conf/decrypt.properties properly.

Verify whether the key pair and encrypted file are successfully generated.
```
$ ls ~/.loaddump/secure/
key.pem     key.pem.pub    secure.rsa
```

Enter the encrypted information in decrypt.properties in the {ob-loader-dumper}/conf/ directory.

# Absolute path of your secure file, whose name is secure.rsa by default.
# secure.filePath=

# Absolute path of your private key. whose name is key.pem by default.
# privateKey.filePath=

# Decrypt class name. Fill in this field only if you need a custom mechanism of decryption.
# decrypt.className=

View the help information of secure-gen

secure-gen is an executable Shell script. It can encrypt sensitive information fields by using the RSA algorithm. When you run OBLOADER & OBDUMPER, it will parse the decrypt.properties file in the {ob-loader-dumper}/conf/ directory to securely obtain sensitive information.

secure-gen is located in the {ob-loader-dumper}/tools/ directory. You can run ./secure-gen -h or directly enter ./secure-gen to view the help information of secure-gen.

$ ./secure-gen -h
   
Usage: ./secure-gen [-n <file>][-i][-h]
Description:
-n: Specify a to-be-encrypted file of sensitive contents in plain-text, use -i to check out the format.
-i: Input sensitive contents in interactive mode.
-h: Display this message.

Customize an encryption/decryption mechanism

If OpenSSL is not installed, you can perform the following steps to customize an encryption/decryption mechanism.

Create a plaintext file for encryption.

The file to be encrypted must meet the specifications described in [Properties File Format] (https://docs.oracle.com/cd/E23095_01/Platform.93/ATGProgGuide/html/s0204propertiesfileformat01.html).
Write a decryption class file in Java. The class definition must meet the following requirements:
- A parameterless constructor function must be defined.
- The class must have a non-static method: public String decrypt(String encryptRaw). The encryptRaw formal parameter indicates the encrypted text. The return value is the decrypted text.
Package the decryption class as a JAR package and place the package in the {ob-loader-dumper}/lib/ directory.
Configure corresponding content in decrypt.properties in the {ob-loader-dumper}/conf/ directory.

Examples

Create a Maven project and write a CustomDecryptor class. Use Base64 for encoding and decoding.

Note

In a production environment, you can choose an appropriate encryption/decryption algorithm as needed.

Create a plaintext file for encryption and encode the file by using Base64.

# Create a plaintext file.
$ vi password.txt
# Enter the following content in the file. Then, save the file and exit.
oceanbase.jdbc.password=******
oceanbase.jdbc.sys.password=******

# Encrypt the encoded file as custom.key.
$ echo $(base64 password.txt) > /user/loaddump/custom.key

Create a Java project. In the project, CustomDecryptor.java is a custom decryption class that you need to write.

Write the CustomDecryptor class.

package com.example.decrypt;

import java.nio.charset.StandardCharsets;
import sun.misc.BASE64Decoder;

public class CustomDecryptor {

   public CustomDecryptor() {}

    /**
    * This method takes an encrypted string, decrypt it, and return it as a plain string.
    */
   public String decrypt(String encryptedRaw) throws Exception {
       BASE64Decoder decoder = new BASE64Decoder();
       return new String(decoder.decodeBuffer(encryptedRaw), StandardCharsets.UTF_8);
  }
}

Package the CustomDecryptor class as a JAR package and place the package in the {ob-loader-dumper}/lib/ directory to finish setting the decryptor.
```
mvn package && mv target/example-1.0-SNAPSHOT.jar path/to/ob-loader-dumper/lib/
```

Enter corresponding content in decrypt.properties in the {ob-loader-dumper}/conf/ directory.

# Absolute path of your secure file, whose name is secure.rsa by default.
secure.filePath=～/tmp/custom.key
# Absolute path of your private key. whose name is key.pem by default.
# privateKey.filePath=
# Decrypt class name. Fill in this field only if you need a custom mechanism of decryption.
decrypt.className=com.example.decrypt.CustomDecryptor

Note

If you use a custom SDK for encryption and decryption, the privateKey.filePath parameter is optional.

Securely run OBLOADER & OBDUMPER.
```
./obdumper -hxx.x.x.x -P2883 -t example -D example --csv --all
```
Note

When you run OBLOADER & OBDUMPER, you do not need to explicitly declare the -p/--password option or the --sys-password option.

Connect to a database over SSL

OBLOADER & OBDUMPER V4.3.1 and later allow you to connect to a database over SSL. This section describes two methods for connecting to a database over SSL.

Method 1: Configure SSL parameters to enable SSL connection

Configure SSL parameters in the session.config.json file. For more information about the file, see Connection configuration.

"useSSL": true,
"disableSslHostnameVerification": true,
"trustStore": "http://xxx.xxx.xxx.xxx:39411/rpcssl/truststore.jks",
"trustStorePassword": "123xxxx",
"//keyStore": "xxxxx",
"//keyStorePassword": ""

Configure the trustStore and trustStorePassword parameters based on the actual situation.

The value of trustStore can be an HTTP URL or a local path, for example, "trustStore": "/home/admin/downloads/truststore.jks".
The value of trustStorePassword is a plaintext password. Pay attention that it is not the database password.

Method 2: Use secure-gen for encryption

You can also use secure-gen to connect to the database to improve security and reduce security risks. The procedure is as follows:

Install OpenSSL and configure environment variables.
Run the following command in the {ob-loader-dumper}/tools/ directory:
```
./secure-gen -i
```

Configure related password parameters in the CLI and then enter :wq to save and exit.

# Input the sensitive fields below in plain-text respectively.
# Note ob-loader-dumper will parse from cli args first, and override any field in this file if there is a conflict.
#
# This password used for creating JDBC Connection.
oceanbase.jdbc.password=*******
# This password used for creating JDBC Connection of sys tenant.
oceanbase.jdbc.sys.password=******
# Trust store password for creating JDBC Connection with useSSL=true.
oceanbase.jdbc.trustStorePassword=******
# Key store password for creating JDBC Connection with useSSL=true (×509).
# oceanbase.jdbc.keyStorePassword=
# AccessKey for cloud storages like OSS, S3.
# cloud.storage.access. key=
# SecretKey for cloud storages like

By default, the encrypted file and key are locally generated by using OpenSSL. Place the encrypted file (secure.rsa) and key (key.pem) to the security.properties file in the conf/ directory.

You can also place the encrypted file and key on different HTTP servers. OBLOADER & OBDUMPER automatically loads the encrypted file and key at startup and then decrypts the information.