Encrypting your database password v4
Failover Manager requires you to encrypt your database password before including it in the cluster properties file. Use the efm utility located in the /usr/edb/efm-4.<x>/bin
directory to encrypt the password. When encrypting a password, you can either pass the password on the command line when you invoke the utility or use the EFMPASS
environment variable.
To encrypt a password, use the command:
efm encrypt <cluster_name> [ --from-env ]
Where <cluster_name>
specifies the name of the Failover Manager cluster.
If you include the --from-env
option, you must export the value you want to encrypt before invoking the encryption utility. For example:
If you don't include the --from-env
option, Failover Manager prompts you to enter the database password twice before generating an encrypted password for you to place in your cluster property file. When the utility shares the encrypted password, copy and paste the encrypted password into the cluster property files.
Note
Many Java vendors ship their version of Java with full-strength encryption included but not enabled due to export restrictions. If you encounter an error that refers to an illegal key size when attempting to encrypt the database password, download and enable a Java cryptography extension (JCE) that provides an unlimited policy for your platform.
This example shows using the encrypt
utility to encrypt a password for the acctg
cluster:
Note
The utility notifies you if a properties file doesn't exist.
After receiving your encrypted password, paste the password into the properties file and start the Failover Manager service. If there's a problem with the encrypted password, the Failover Manager service doesn't start:
If you receive this message when starting the Failover Manager service, see the startup log /var/log/efm-4.8/startup-efm.log
for more information.
If you are using RHEL/CentOS 7.x or RHEL/Rocky Linux/AlmaLinux 8.x, startup information is also available with the following command:
To prevent a cluster from inadvertently connecting to the database of another cluster, the cluster name is incorporated into the encrypted password. If you modify the cluster name, you must re-encrypt the database password and update the cluster properties file.
Using the EFMPASS environment variable
This example shows using the --from-env
environment variable when encrypting a password. Before invoking the efm encrypt
command, set the value of EFMPASS
to the password 1safepassword
:
Then, invoke efm encrypt
, specifying the --from-env
option:
The encrypted password 7ceecd8965fa7a5c330eaa9e43696f83
is returned as a text value; when using a script, you can check the exit code of the command to confirm that the command succeeded. A successful execution returns 0
.
- On this page
- Using the EFMPASS environment variable