Encrypting sensitive field values is supported in the meshlet. The meshlet will utilize encrypted fields based on values surrounded with encrypt( ). Thus, when the meshlet starts, any configuration values in the application.yml meshlet configuration file surrounded with encrypt( ) will be encrypted and the configuration file will be rewritten with the prefixes changed to encrypted( ).

(info) NOTE: Encrypting configuration fields must be done as a separate step when the meshlet isn't running. Encrypting it while the meshlet is running will cause the encrypted fields to not be read properly.


Prerequisites  


(warning) The meshlet must be installed with the Multitenant Meshlet as a Service installation script


Encrypting Meshlet Configuration Fields

To encrypt fields in the meshlet's configuration file, follow these steps: 

Windows

Select fields to encrypt

Open the meshlet's configuration file (application-dev.yml) in a text editor and enter encrypt() around the field values you want to be encrypted. 

For example:

proxy:
    host: proxyExample.perspectium.net
    port: 8080
    username: userExample
    password: encrypt(<password_value>)

Where <password_value> is the original unencrypted value. For example, encrypt(mypassword) if your password is mypassword. You do not need to enter quotes or anything around the value. 

Open up a Command Prompt

To encrypt the fields in the configuration file, open up a Command Prompt and run as an AdministratorFor example, type cmd in the Windows search window and right-click on Command Prompt and select Run as administrator.

Find the encryptConfiguration.bat script

In the Command Prompt, change your directory to the location where the encryptConfiguration.bat is stored.

For example if the file is stored at C:\Users\username\Downloads\meshlet.

cd ..\..\Users\username\Downloads\meshlet

Run the encryption command

Execute the following command to encrypt your meshlet configuration file:

encryptConfiguration.bat "filepath/to/perspectium-meshlet.jar" "filepath/to/application-dev.yml"

Where filepath/to/perspectium-meshlet.jar is the location of the meshlet's jar (the executable file that runs the meshlet application) as previously installed with the Multitenant Meshlet as a Service installation script and filepath/to/application-dev.yml is the location of the meshlet's application-dev.yml.

(info) NOTEWhen entering the locations of the meshlet jar and meshlet's application-dev.yml, enter the filepath with "" as shown above. The quotes ensure the filepath is captured correctly in case of directory names with spaces in them.

Using the example from the Multitenant Meshlet as a Service installation script section above where we installed the Ivanti-User meshlet with the environment_name Production, this command would be: 

encryptConfiguration.bat "C:\Perspectium-Ivanti-User-Production\perspectium-meshlet.jar" "C:\Perspectium-Ivanti-User-Production\src\main\resources\config\application-dev.yml"

Verify configuration fields are encrypted

Open the meshlet's configuration file (application-dev.yml) in a text editor and you will see the previous fields with encrypt() now replaced with encrypted() and the values have been encrypted:

proxy:
    host: proxyExample.perspectium.net
    port: 8080
    username: userExample
    password: encrypted(<encrypted_password_value>)

Run your meshlet with the encrypted configuration fields

Now you can run the meshlet with the encrypted configuration fields as specified on installing and running the meshlet


(info) NOTEThe java command to run the meshlet will need to specify the location of the application.yml meshlet configuration file in the -Dspring.config.location property to properly run with the encrypted fields.

java -Dspring.profiles.active=dev(,basicauth if needed) -Dlogging.config=filepath\to\logback-spring.xml -Dspring.config.location=filepath\to\application-dev.yml -jar meshlet.jar

Contact Perspectium Support for more information.

Linux

Select configuration fields to encrypt

Open the meshlet's configuration file (application-dev.yml) in a text editor and enter encrypt() around the field values you want to be encrypted. 

For example:

proxy:
    host: proxyExample.perspectium.net
    port: 8080
    username: userExample
    password: encrypt(<password_value>)

Where <password_value> is the original unencrypted value. For example, encrypt(mypassword) if your password is mypassword. You do not need to enter quotes or anything around the value. 

Run the encryption command

To encrypt the fields in the configuration file, you can use the following command in your terminal:

sudo /etc/init.d/psp-meshlet-meshlet_service_name encrypt "filepath/to/application-dev.yml"

Where psp-meshlet-meshlet_service_name is the name of the service as previously installed with the Multitenant Meshlet as a Service installation script and filepath/to/application-dev.yml is the location of the meshlet's application-dev.yml.

(info) NOTEWhen entering the location of the meshlet's application-dev.yml, enter the filepath with "" as shown above. The quotes ensure the filepath is captured correctly in case of directory names with spaces in them.

If the meshlet was installed with the online version of the installation script, this path is generally /opt/perspectium-<MeshletName>Meshlet-<meshlet_service_name>/src/main/resources/config/application-dev.yml.

Using the example from the Multitenant Meshlet as a Service installation script section above where we installed the meshlet with the meshlet service name jira-change-prod (and as the installation mentions above, the actual meshlet service name will be prepended by psp-meshlet-, i.e., psp-meshlet-jira-change-prod), this command would be: 

sudo /etc/init.d/psp-meshlet-jira-change-prod encrypt "/opt/perspectium-JiraChangeMeshlet-jira-change-prod/src/main/resources/config/application-dev.yml"

Verify configuration fields are encrypted

Open the meshlet's configuration file (application-dev.yml) in a text editor and you will see the previous fields with encrypt() now replaced with encrypted() and the values have been encrypted:

proxy:
    host: proxyExample.perspectium.net
    port: 8080
    username: userExample
    password: encrypted(<encrypted_password_value>)

Run your meshlet with the encrypted configuration fields

Now you can run the meshlet with the encrypted configuration fields as specified on installing and running the meshlet


(info) NOTEThe java command to run the meshlet will need to specify the location of the application.yml meshlet configuration file in the -Dspring.config.location property to properly run with the encrypted fields.

java -Dspring.profiles.active=dev(,basicauth if needed) -Dlogging.config=filepath/to/logback-spring.xml -Dspring.config.location=filepath/to/application-dev.yml -jar meshlet.jar

Contact Perspectium Support for more information.