Encrypting sensitive field values is supported in the meshlet. The meshlet will utilize encrypted fields based on values surrounded with encrypt( ). Thus, when the meshlet starts, any configuration values in the application.yml meshlet configuration file surrounded with encrypt( ) will be encrypted and the configuration file will be rewritten with the prefixes changed to encrypted( ).
NOTE: Encrypting configuration fields must be done as a separate step when the meshlet isn't running. Encrypting it while the meshlet is running will cause the encrypted fields to not be read properly.
Prerequisites
The meshlet must be installed with the Multitenant Meshlet as a Service installation script.
Encrypting Meshlet Configuration Fields
To encrypt fields in the meshlet's configuration file, follow these steps:
Select fields to encrypt
Open the meshlet's configuration file (application-dev.yml) in a text editor and enter encrypt() around the field values you want to be encrypted.
For example:
proxy: host: proxyExample.perspectium.net port: 8080 username: userExample password: encrypt(<password_value>)
Where <password_value> is the original unencrypted value. For example, encrypt(mypassword) if your password is mypassword. You do not need to enter quotes or anything around the value.
Open up a Command Prompt
To encrypt the fields in the configuration file, open up a Command Prompt and run as an Administrator. For example, type cmd in the Windows search window and right-click on Command Prompt and select Run as administrator.
Find the encryptConfiguration.bat script
In the Command Prompt, change your directory to the location where the encryptConfiguration.bat is stored.
For example if the file is stored at C:\Users\username\Downloads\meshlet.
cd ..\..\Users\username\Downloads\meshlet
Run the encryption command
Execute the following command to encrypt your meshlet configuration file:
encryptConfiguration.bat "filepath/to/perspectium-meshlet.jar" "filepath/to/application-dev.yml"
Where filepath/to/perspectium-meshlet.jar is the location of the meshlet's jar (the executable file that runs the meshlet application) as previously installed with the Multitenant Meshlet as a Service installation script and filepath/to/application-dev.yml is the location of the meshlet's application-dev.yml.
NOTE: When entering the locations of the meshlet jar and meshlet's application-dev.yml, enter the filepath with "" as shown above. The quotes ensure the filepath is captured correctly in case of directory names with spaces in them.
Using the example from the Multitenant Meshlet as a Service installation script section above where we installed the Ivanti-User meshlet with the environment_name Production, this command would be:
encryptConfiguration.bat "C:\Perspectium-Ivanti-User-Production\perspectium-meshlet.jar" "C:\Perspectium-Ivanti-User-Production\src\main\resources\config\application-dev.yml"
Verify configuration fields are encrypted
Open the meshlet's configuration file (application-dev.yml) in a text editor and you will see the previous fields with encrypt() now replaced with encrypted() and the values have been encrypted:
proxy: host: proxyExample.perspectium.net port: 8080 username: userExample password: encrypted(<encrypted_password_value>)
Run your meshlet with the encrypted configuration fields
Now you can run the meshlet with the encrypted configuration fields as specified on installing and running the meshlet
NOTE: The java command to run the meshlet will need to specify the location of the application.yml meshlet configuration file in the -Dspring.config.location property to properly run with the encrypted fields.
java -Dspring.profiles.active=dev(,basicauth if needed) -Dlogging.config=filepath\to\logback-spring.xml -Dspring.config.location=filepath\to\application-dev.yml -jar meshlet.jar
Contact Perspectium Support for more information.
Select configuration fields to encrypt
Open the meshlet's configuration file (application-dev.yml) in a text editor and enter encrypt() around the field values you want to be encrypted.
For example:
proxy: host: proxyExample.perspectium.net port: 8080 username: userExample password: encrypt(<password_value>)
Where <password_value> is the original unencrypted value. For example, encrypt(mypassword) if your password is mypassword. You do not need to enter quotes or anything around the value.
Run the encryption command
To encrypt the fields in the configuration file, you can use the following command in your terminal:
sudo /etc/init.d/psp-meshlet-meshlet_service_name encrypt "filepath/to/application-dev.yml"
Where psp-meshlet-meshlet_service_name is the name of the service as previously installed with the Multitenant Meshlet as a Service installation script and filepath/to/application-dev.yml is the location of the meshlet's application-dev.yml.
NOTE: When entering the location of the meshlet's application-dev.yml, enter the filepath with "" as shown above. The quotes ensure the filepath is captured correctly in case of directory names with spaces in them.
If the meshlet was installed with the online version of the installation script, this path is generally /opt/perspectium-<MeshletName>Meshlet-<meshlet_service_name>/src/main/resources/config/application-dev.yml.
Using the example from the Multitenant Meshlet as a Service installation script section above where we installed the meshlet with the meshlet service name jira-change-prod (and as the installation mentions above, the actual meshlet service name will be prepended by psp-meshlet-, i.e., psp-meshlet-jira-change-prod), this command would be:
sudo /etc/init.d/psp-meshlet-jira-change-prod encrypt "/opt/perspectium-JiraChangeMeshlet-jira-change-prod/src/main/resources/config/application-dev.yml"
Verify configuration fields are encrypted
Open the meshlet's configuration file (application-dev.yml) in a text editor and you will see the previous fields with encrypt() now replaced with encrypted() and the values have been encrypted:
proxy: host: proxyExample.perspectium.net port: 8080 username: userExample password: encrypted(<encrypted_password_value>)
Run your meshlet with the encrypted configuration fields
Now you can run the meshlet with the encrypted configuration fields as specified on installing and running the meshlet
NOTE: The java command to run the meshlet will need to specify the location of the application.yml meshlet configuration file in the -Dspring.config.location property to properly run with the encrypted fields.
java -Dspring.profiles.active=dev(,basicauth if needed) -Dlogging.config=filepath/to/logback-spring.xml -Dspring.config.location=filepath/to/application-dev.yml -jar meshlet.jar
Contact Perspectium Support for more information.