Protecting Sensitive Data in Configuration Files

Transformer configuration files are the files stored in the Transformer configuration directory, $TRANSFORMER_CONF. These files include the Transformer properties file, transformer.properties, in addition to other files such as the dpm.properties and credential-stores.properties files.

Some properties in the configuration files, such as the https.keystore.password property, require that you enter a password. Instead of entering the password in clear text, you can store the password outside of the configuration file and then use a function to retrieve the sensitive data.

Tip: To access sensitive data in a credential store, develop a script that retrieves the sensitive data, then use the exec function to call the script.

You can use functions to retrieve sensitive data in the following ways:

From a file with the file function

Store the sensitive data in a separate file in the Transformer configuration directory, $TRANSFORMER_CONF. Then, use the file function in the configuration file to retrieve the data, as follows:

${file("<filename>")}

For example, with the xmail.username property configured as shown below, Transformer retrieves the user name from the email_username.txt file located in the Transformer configuration directory:

xmail.username=${file("email_username.txt")}

Retrieving sensitive data from another file provides some level of security. However, the sensitive data in the additional file is still entered in clear text and thus vulnerable for others to access. For increased security, use a script or executable to retrieve the sensitive data.

Using a script or executable with the exec function

For increased security, store the sensitive data in a separate location, such as a credential store or file. Then, develop a script or executable that retrieves the sensitive data.

For example, you can develop a script that decrypts an encrypted file containing a password. Or you can develop a script that calls an external REST API to retrieve a password from a credential store.

Store the script or executable, and any related files, in the Transformer configuration directory, $TRANSFORMER_CONF.

Use the exec function in the configuration files to call the script or executable as follows:

${exec("<script name>")}

For example, with the xmail.password property configured as shown below, Transformer runs the email_pwd.sh script in the Transformer configuration directory to retrieve the password:

xmail.password=${exec("email_pwd.sh")}

Important: When you use either the file or the exec function, Transformer uses the exact output of the file or script. Carefully design and test the file or script to ensure that the functions return only the expected data.

For example, if a function returns a password with a newline character, Transformer includes the newline character, which results in an invalid password.