Encrypting Sensitive Information Stored in Configuration Files
INSIGHT_CONFIGURATION_KEY. The configuration key should fulfill three requirements. It should be:
- a securely random string of suitable complexity.
- unique to each server and worker.
- stored in a file that only the service account and administrators can read.
application.properties would look like this:
insight.server.persistence.mysql.password=plain-text-passwordinsight.server.persistence.mysql.password=ENC( bQTcy1mi3dbU7jDLraaDvJ5P08TXQQkIw6lWcmKX2RpGLVeL )The following steps describe how to encrypt these values for the server, use the same procedure with appropriate values to secure the worker.
Encrypting Configuration Files on Windows
- Create a configuration key by generating a random 48 character string for use as the configuration encryption key.
- Configure the Insight 5 Server with this encryption key. The key is passed to the server or worker as the environment variable
INSIGHT_CONFIGURATION_KEY. This environment variable is read at service startup. - Edit
%PROGRAMDATA%\Fico\XpressInsight\Server\config\insight-server.conf.batand append the following line, to load the configuration key during startup:call c:\full\path\to\insight-configuration.bat - Generate the encrypted property values. Launch the
encryptcommand line tool with the following command:"\Program Files\FICO\XpressInsight\insight-server.bat" --encryptFollow the prompts, then copy the returned
Encrypted property value:Encrypt a property value… Enter the encryption key: Paste the encryption key and press enterEnter the property value: Paste the property value to encrypt and press enterEncrypted property value:ENC( bQTcy1mi3dbU7jDLraaDvJ5P08TXQQkIw6lWcmKX2RpGLVeL ) - Add the encrypted property value to the
application.propertiesfile for the server or worker.insight.server.persistence.mysql.password=ENC( bQTcy1mi3dbU7jDLraaDvJ5P08TXQQkIw6lWcmKX2RpGLVeL) - Restart the server and verify the configuration has taken effect.
Encrypting Configuration Files on Linux
- Create a configuration key by generating a random 48 character string for use as the configuration encryption key.
For example, in Linux, open a terminal window and use the following command:
head /dev/urandom | tr -dc A-Za-z0-9 | head -c 48 ; echo '' - Configure the Insight 5 Server with this encryption key. The key is passed to the server or worker as the environment variable
INSIGHT_CONFIGURATION_KEY. This environment variable is read at service startup. Edit/etc/fico-xpress-insight-server/environmentand set the following content:INSIGHT_CONFIGURATION_KEY=secure-random-string - Restrict file access to just the
xpressuser by opening a terminal window and entering the following command:chmod 600 /etc/fico-xpress-insight-server/environment - Generate the encrypted property values. Launch the encrypt command line tool with the following command and follow the on-screen prompts, then copy the returned
Encrypted property value:$ fico-xpress-insight-server -–encrypt - Add the encrypted property value to the
application.propertiesfile for the server or worker.insight.server.persistence.mysql.password=ENC( bQTcy1mi3dbU7jDLraaDvJ5P08TXQQkIw6lWcmKX2RpGLVeL ) - Restart the server and verify the configuration has taken effect.
© 2001-2025 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.