6.5.6. Encrypting user.map Data

The user.map file allows you to use an encryted version of the file by using the @script directive. Here is an example of how you can decrypt a file and return the results to user.map.

  1. Change to a directory outside of the currently installed Tungsten

    Do this to ensure that the OpenSSL key and encrypted file are available after upgrades and other operations.

    shell> cd /opt/continuent/share
  2. Create an OpenSSL key

    In this example we will use a 1024-bit RSA private key to do the encryption and decryption. There are many options for encrypting and decrypting files but this documentation will not explore those. The same process will work with other encryption techniques. You must ensure that the decryption command runs without user input.

    shell> openssl genrsa -out usermap.pem 1024
  3. Create the encrypted file of user.map entries:

    tungsten secret nyc_sjc sjc
    tungsten_sjc secret sjc
    tungsten_nyc secret nyc

    Create an encrypted version of the file:

    shell> openssl rsautl -encrypt -inkey usermap.pem -in user.map.entries -out user.map.entries.ssl
  4. Test decryption of the encrypted file:

    shell> openssl rsautl -decrypt -inkey usermap.pem -in user.map.entries.ssl

    This should return the unencrypted user.map:

    tungsten secret nyc_sjc
    tungsten_sjc secret sjc
    tungsten_nyc secret nyc
  5. Update the installed and configured tungsten-connector/conf/user.map file:

    # Examples:
    # user tungstenuser has password secret and uses 'sjc_nyc' composite
    # data service, but prefers nyc site for reading:
    #   tungstenuser secret sjc_nyc nyc

    Now add a @script directive to point to the encrypted file and certificate:

    @script openssl rsautl -decrypt -inkey /opt/continuent/share/usermap.pem -in /opt/continuent/share/user.map.entries.ssl
  6. Repeat the process on each host. The user.map file will be copied to the new version when you upgrade Tungsten so this process must only be completed once per host.