Protecting Sensitive Data in Configuration FilesConfiguration Properties
Transformer configuration files are the files stored in the Transformer configuration directory, $TRANSFORMER_CONF. These files include the Transformer properties file, transformer.properties, in addition to other files such as the dpm.properties and credential-stores.properties files.You configure Transformer configuration properties in the advanced configuration properties of the deployment.
Some properties in the configuration filesconfiguration properties, such as the https.keystore.password
property, require that you
enter a password. Instead of entering the password in clear text, you can store the
password outside of the configuration fileconfiguration properties and then use a function to retrieve the sensitive data.
exec
function to call
the script.- From a file with the
file
function - Store the sensitive data in a separate file in the Transformer configuration directory, $TRANSFORMER_CONF. Then,
use the
file
function in the configuration fileconfiguration properties to retrieve the data, as follows:${file("<filename>")}
- Using a script or executable with the
exec
function - For increased security, store the sensitive data in a separate location, such as a credential store or file. Then, develop a script or executable that retrieves the sensitive data.
file
or the
exec
function, Transformer
uses the exact output of the file or script. Carefully design and test the file or
script to ensure that the functions return only the expected data. For example, if a function returns a password with a newline character, Transformer includes the newline character, which results in an invalid password.