- Hardcoded passwords (definitely causes exposure)
- Custom encryption/decryption script/compile program
- Leveraging a password vault with API calls
- System environment variables
- ODI encryption and decryption process
- Leverage FDMEE's Encryption and decryption process
Note: All of the options above are only as strong as you can secure the scripts from unauthorized access to the scripts or encryption\decryption code. The key is to limit access and build in layers of security for process.
In the past I would build a custom script to perform the encryption/decryption when needed, which works great but requires maintenance. I read a great FDMEE Encryption Blog by Francisco Amores, where he leverages ODI to perform the encryption and decryption process. He broke down the process leveraging ODI and a custom script to retrieve the encrypted passwords from the ODI/FDMEE repository.
The option that I like to use leverages the FDMEE Encryption/Decryption process outlined within the FDMEE Admin guide.
Step 1: Create Encrypted Password Text File
Follow the instruction in the admin guide to create a encrypted password text file in the FDMEE password directory, which is defined within FDMEE system setting.
If we look within the EncryptPassword.bat file we will notice a call to three different .jar files.
The import jar file is the registry-api.jar which contains the encrypt and decrypt process the FDMEE uses when running the EncryptPassword.bat from the command line or FDMEE batch jobs that require a password.
The trick is to leverage the jar file in our custom FDMEE scripts when needing to access a SQL database or other secure process that requires a password.
Step 2: Import the registry-api.jar Encryption process
Create a jython script and load the registry-api.jar for access to the encryption process.
Step 3: Get the Encrypted password from UserName file
In order to leverage the code multiple times we can pass variables to complete the uid_filename so that different processes can set the uid variable. In this example it is very simplistic for example purpose, but can be more dynamic based on FDMEE location attributes.