How do I protect the connection.password for the QIE database so that it is not stored in plain text

Question

We need to configure QIE to connect to the QIE database, but the only two options are to use a named service (this only works with MSSQL), or to use the java option -Dconneciton.password={password}. This java option stores the password in plain text.

How can I secure the password so that it is not stored as plain text.

Answer 1

Securing the QIE database password

Starting with QIE 26.2.1, QIE supports encrypting the database password so it does not need to be stored in plain text in the -Dconnection.password Java option.

To configure password encryption:

1. Create an environment variable named QIE_DB_PASS_ENCRYPTION_KEY.

2. Set the environment variable to a 32-byte key. This key length is required to use AES-256 encryption.

3. Restart the QIE service after setting the environment variable.

4. In QIE, navigate to System Config.

5. Scroll to Advanced Settings.

6. In the QIE Database Connection Password Encryption Utility section, click Encrypt Password.

7. Enter the database password in both fields, then click on the 'Encrypt Password' button.

8. Copy the generated encrypted value.

9. Update the Java option using the following format:
-Dconnection.password=ENC({encrypted_password})

10. Restart the QIE service again for the updated setting to take effect.

After this is configured, QIE will use the encryption key stored in QIE_DB_PASS_ENCRYPTION_KEY to decrypt the password at runtime, allowing the password to be stored in encrypted form instead of plain text.