Initializing help system before first use

Encrypting Sensitive Information Stored in Configuration Files

The Insight Server and Execution Worker configuration files should be encrypted to secure any sensitive values they contain, such as passwords.
You will require administrator rights on the host machine.
Configuration values can be encrypted with a configuration key, supplied to the server or worker via the environment variable INSIGHT_CONFIGURATION_KEY. The configuration key should fulfill three requirements. It should be:
  • a securely random string of suitable complexity.
  • unique to each server and worker.
  • stored in a file that only the service account and administrators can read.
An unencrypted configuration property in application.properties would look like this: 
 insight.server.persistence.mysql.password=plain-text-password
When a configuration property is encrypted, preventing its value from being read without the configuration key, it looks like this: 
insight.server.persistence.mysql.password=ENC( bQTcy1mi3dbU7jDLraaDvJ5P08TXQQkIw6lWcmKX2RpGLVeL )

The following steps describe how to encrypt these values for the server, use the same procedure with appropriate values to secure the worker.

Encrypting Configuration Files on Windows

  1. Create a configuration key by generating a random 48 character string for use as the configuration encryption key.
  2. Configure the Insight 5 Server with this encryption key. The key is passed to the server or worker as the environment variable INSIGHT_CONFIGURATION_KEY. This environment variable is read at service startup.
    1. Create a file to contain the configuration key, in a restricted location so that it can be read by SYSTEM and administrators only. For example, create a file named insight-configuration.bat.
    2. Add the following content. 
      set "INSIGHT_CONFIGURATION_KEY=secure-random-string"
  3. Edit %PROGRAMDATA%\Fico\Xpress Insight\Server\config\insight-server.conf.bat and append the following line, to load the configuration key during startup: 
    call c:\full\path\to\insight-configuration.bat
  4. Generate the encrypted property values. Launch the encrypt command line tool with the following command: 
    "\Program Files\FICO\Xpress Insight\insight-server.bat" --encrypt

    Follow the prompts, then copy the returned Encrypted property value: 

    Encrypt a property value…
Enter the encryption key:
Paste the encryption key and press enter
    Enter the property value:
Paste the property value to encrypt and press enter
    Encrypted property value:ENC( bQTcy1mi3dbU7jDLraaDvJ5P08TXQQkIw6lWcmKX2RpGLVeL )
  5. Add the encrypted property value to the application.properties file for the server or worker. 
    insight.server.persistence.mysql.password=ENC( bQTcy1mi3dbU7jDLraaDvJ5P08TXQQkIw6lWcmKX2RpGLVeL)
  6. Restart the server and verify the configuration has taken effect.

Encrypting Configuration Files on Linux

  1. Create a configuration key by generating a random 48 character string for use as the configuration encryption key.
    For example, in Linux, open a terminal window and use the following command: 
    head /dev/urandom | tr -dc A-Za-z0-9 | head -c 48 ; echo ''
  2. Configure the Insight 5 Server with this encryption key. The key is passed to the server or worker as the environment variable INSIGHT_CONFIGURATION_KEY. This environment variable is read at service startup. Edit /etc/fico-xpress-insight-server/environment and set the following content: 
    INSIGHT_CONFIGURATION_KEY=secure-random-string
  3. Restrict file access to just the xpress user by opening a terminal window and entering the following command: 
    chmod 600 /etc/fico-xpress-insight-server/environment
  4. Generate the encrypted property values. Launch the encrypt command line tool with the following command and follow the on-screen prompts, then copy the returned Encrypted property value: 
    $ fico-xpress-insight-server –encrypt
  5. Add the encrypted property value to the application.properties file for the server or worker. 
    insight.server.persistence.mysql.password=ENC( bQTcy1mi3dbU7jDLraaDvJ5P08TXQQkIw6lWcmKX2RpGLVeL )
  6. Restart the server and verify the configuration has taken effect.
Parent Topic Securing Xpress Insight 5