search

Use password encryption with Pentaho

Strengthen security by using encrypted passwords for Pentaho applications.

For IT administrators, who have permissions to modify files on the server and the permission to stop and start the server, perform these tasks when you want to enhance your company's security by encrypting the passwords that are currently stored as plain text in configuration files, for example, if you want to meet specific server security levels for regulatory compliance.

As a best practice, stop the server before modifying configuration files, then start the server when finished. After you have configured a Pentaho product to use encrypted passwords, all logins with the Pentaho product will use the encrypted passwords. Connect to any databases that were edited to ensure all changes are correct.

Use this topic to:

Encrypted passwords are supported for:

You can also use encrypted passwords with JDBC security. See the Administer Pentaho Data Integration and Analytics document for instructions on switching to JDBC security.

hashtag
Encrypting a password

Perform the following steps on the machine with the Pentaho Server to create an encrypted password.

  1. Stop the server.

    For instructions, see Stop and start the Pentaho Server and repository.

  2. At the command line, navigate to the server/pentaho-server directory.

  3. Run encr.bat (Windows) or encr.sh (Linux).

    Example:

    The console prints the encrypted password.

    Note: You must have a JRE or JDK installed.

  4. Restart the server.

hashtag
Use encrypted passwords with Pentaho products

How you apply an encrypted password varies by product.

hashtag
Pentaho Data Integration (PDI)

Perform the following steps to use an encrypted password with Pentaho Data Integration (PDI).

  1. Stop the server.

    For instructions, see Stop and start the Pentaho Server and repository.

  2. Navigate to the design-tools/data-integration/simple-jndi directory.

  3. Open the jdbc.properties file in a text editor.

  4. Replace all instances of the password value with the encrypted password.

  5. Save and close the file.

  6. Restart the server and verify the change.

hashtag
Pentaho User Console (PUC)

Perform the following steps to use an encrypted password with the Pentaho User Console (PUC).

  1. Stop the server.

    For instructions, see Stop and start the Pentaho Server and repository.

  2. Navigate to the server/pentaho-server/tomcat/webapps/pentaho/META-INF directory.

  3. Open the context.xml file in a text editor.

  4. Replace the password value in every Resource element with the encrypted password.

  5. Save and close the file.

  6. Restart the server and verify the change.

PUC email

After you configure PUC to use an encrypted password, you can use that password with PUC email.

  1. Log in to PUC as an administrator.

  2. Open the Administration Perspective.

  3. Select the Mail server section.

  4. Enter your encrypted password value in the password field.

    Note: If you use Gmail, enable Allow less secure apps to access your account.

  5. Select Test Email Configuration.

  6. Verify that PUC sends an email to the address you specified.

hashtag
Pentaho Aggregation Designer

To use encrypted passwords with Pentaho Aggregation Designer, you must first centralize your passwords in a jndi.properties file.

  1. Stop the server.

    For instructions, see Stop and start the Pentaho Server and repository.

  2. Create a jndi.properties file with the default properties:

  3. Save jndi.properties in the design-tools/aggregation-designer/lib directory.

  4. In the user’s home directory, navigate to the .pentaho/simple-jndi directory.

    • Open default.properties in a text editor.

    • If default.properties does not exist, create it.

    • If you created default.properties under design-tools/aggregation-designer/simple-jndi, update org.osjava.sj.root in design-tools/aggregation-designer/lib/jndi.properties to point to it. Example:

  5. Replace the password value in every property in default.properties with the encrypted password.

    Note: If you use a remote repository, replace localhost with the repository IP address.

  6. Save and close the file.

  7. Restart the server and verify the change.

hashtag
Pentaho Metadata Editor (PME)

The Pentaho Metadata Editor (PME) stores passwords in the JNDI connection default.properties file. For setup details, see Define JNDI connections for Report Designer and Metadata Editor.

  1. Stop the server.

    For instructions, see Stop and start the Pentaho Server and repository.

  2. In the user’s home directory, navigate to the .pentaho/simple-jndi directory.

  3. Open default.properties in a text editor.

    Note: If default.properties does not exist, create it.

  4. Replace the password value in every property with the encrypted password.

    Note: If you use a remote repository, replace localhost with the repository IP address.

  5. Save and close the file.

  6. Restart the server and verify the change.

hashtag
Pentaho Report Designer (PRD)

The Pentaho Report Designer (PRD) stores passwords in the JNDI connection default.properties file. For setup details, see Define JNDI connections for Report Designer and Metadata Editor.

  1. Stop the server.

    For instructions, see Stop and start the Pentaho Server and repository.

  2. Navigate to the design-tools/report-designer/configuration-template/simple-jndi directory.

  3. Open default.properties in a text editor.

  4. Replace the password value in every property with the encrypted password.

    Note: If you use a remote repository, replace localhost with the repository IP address.

  5. Save and close the file.

  6. Copy default.properties to the .pentaho/simple-jndi directory in the user’s home directory. Replace the existing file.

    Note: If the .pentaho/simple-jndi directory does not exist, create it.

  7. Restart the server and verify the change.

hashtag
After you update a product

After you configure a product to use encrypted passwords, all logins with that product use encrypted passwords.

Connect to any databases you updated to verify the changes.

Last updated

Was this helpful?