Encrypting Your Database Password¶
Failover Manager requires you to encrypt your database password before
including it in the cluster properties file. Use the efm utility
(located in the
/usr/edb/efm-3.7/bin directory) to encrypt the
password. When encrypting a password, you can either pass the password
on the command line when you invoke the utility, or use the
To encrypt a password, use the command:
# efm encrypt <cluster_name> [ --from-env ]
Where <cluster_name> specifies the name of the Failover Manager cluster.
If you include the
--from-env option, you must export the value you wish
to encrypt before invoking the encryption utility. For example:
If you do not include the
--from-env option, Failover Manager will
prompt you to enter the database password twice before generating an
encrypted password for you to place in your cluster property file. When
the utility shares the encrypted password, copy and paste the encrypted
password into the cluster property files.
Please note: Many Java vendors ship their version of Java with full-strength encryption included, but not enabled due to export restrictions. If you encounter an error that refers to an illegal key size when attempting to encrypt the database password, you should download and enable a Java Cryptography Extension (JCE) that provides an unlimited policy for your platform.
The following example demonstrates using the encrypt utility to encrypt a password for the acctg cluster:
# efm encrypt acctg This utility will generate an encrypted password for you to place in your EFM cluster property file: /etc/edb/efm-3.7/acctg.properties Please enter the password and hit enter: Please enter the password again to confirm: The encrypted password is: 516b36fb8031da17cfbc010f7d09359c Please paste this into your acctg.properties file db.password.encrypted=516b36fb8031da17cfbc010f7d09359c
Please note: the utility will notify you if a properties file does not exist.
After receiving your encrypted password, paste the password into the properties file and start the Failover Manager service. If there is a problem with the encrypted password, the Failover Manager service will not start:
[witness@localhost ~]# service efm-3.7 start Starting local efm-3.7 service: [FAILED]
If you receive this message when starting the Failover Manager service, please see the startup log (located in /var/log/efm-3.7/startup-efm.log) for more information.
If you are using RHEL 7.x or CentOS 7.x, startup information is also available with the following command:
systemctl status efm-3.7
To prevent a cluster from inadvertently connecting to the database of another cluster, the cluster name is incorporated into the encrypted password. If you modify the cluster name, you will need to re-encrypt the database password and update the cluster properties file.
Using the EFMPASS Environment Variable
The following example demonstrates using the –from-env environment
variable when encrypting a password. Before invoking the
command, set the value of
EFMPASS to the password (
# export EFMPASS=1safepassword
efm encrypt, specifying the
# efm encrypt acctg --from-env # 7ceecd8965fa7a5c330eaa9e43696f83
The encrypted password (
7ceecd8965fa7a5c330eaa9e43696f83) is returned as
a text value; when using a script, you can check the exit code of the
command to confirm that the command succeeded. A successful execution