How do I protect the connection.password for the QIE database so that it is not stored in plain text

Question

We need to configure QIE to connect to the QIE database, but the only two options are to use a named service (this only works with MSSQL), or to use the java option -Dconneciton.password={password}. This java option stores the password in plain text.

How can I secure the password so that it is not stored as plain text.

Answer 1

Securing the QIE database password

Starting with QIE 26.2.1, QIE supports storing the database password in encrypted form in the -Dconnection.password Java option, instead of plain text. The encryption key is stored separately in the QIE_DB_PASS_ENCRYPTION_KEY environment variable. When QIE starts, it uses that key to decrypt the password in memory and then uses the decrypted value to establish the JDBC connection.

To configure password encryption:

1. Create an environment variable named QIE_DB_PASS_ENCRYPTION_KEY.
2. Set the environment variable to a 32-byte key. This key length is required to use AES-256 encryption.
3. Restart the QIE service after setting the environment variable.
4. In QIE, navigate to System Config.
5. Scroll to Advanced Settings.
6. In the QIE Database Connection Password Encryption Utility section, click Encrypt Password.
7. Enter the database password in both fields, then click on the 'Encrypt Password' button.
8. Copy the generated encrypted value.
9. Update the Java option using the following format:
   -Dconnection.password=ENC({encrypted_password})
10. Restart the QIE service again for the updated setting to take effect.