Security

This topic provides answers to some frequently asked questions on HCL OneDB™ Explore security.

Do I need to keep the initialAdminPassword in the properties file after the HCL OneDB Explore server is started for the first time? Isn't it a security issue to keep the password in plain text in the properties file?

The initialAdminPassword property is only required in the HCL OneDB Explore server properties file the first time it is started. When the server is started for the very first time, it initializes its internal H2 database and creates the initial admin user. For all subsequent starts of the HCL OneDB Explore server, the admin user will already exist and therefore the initialAdminPassword will be ignored if it is present in the properties file. This means that after the server is started for the first time, you can safely remove the initialAdminPassword property from the properties file. This allows you to avoid having that password continue to sit around in plain text in your properties file.

How can I configure HTTPS and/or SSL for HCL OneDB Explore?

To use the Secure Sockets Layer (SSL) protocol to encrypt communication with HCL OneDB Explore, you will need a keystore and certificate. You can use the method that best fits your environment for creating the keystore and certificate, for example Java keytool, OpenSSL.

  • Configuring HTTPS in the HCL OneDB Explore server

    Once you have the keystore, secure the HCL OneDB Explore web user interface and REST API by configuring HTTPS in the HCL OneDB Explore server. To configure HTTPS in the OneDB Explore server, in your HCL OneDB Explore server properties file, set the httpsPort, ssl.keystore.file, and ssl.keystore.password properties and potentially also the ssl.key.password property if your key password is different from the keystore password.

    Additionally, if you want to disable HTTP access to the HCL OneDB Explore so that all communication to and from the HCL OneDB Explore server uses HTTPS, set the httpPort to -1 in your properties file. If instead you would like the HCL OneDB Explore server to automatically redirect all HTTP traffic to the HTTPS port, set the redirectHTTPtoHTTPS property to true.

    Sample HCL OneDB Explore server properties file with HTTPS enabled:
    # The initialAdminPassword is only required the first time the OneDB Explore server is started
initialAdminPassword=myAdminPassword

# configure ports
httpPort=-1
httpsPort=8088
redirectHTTPtoHTTPS=false

# configure keystore
ssl.keystore.file=/opt/OneDB Explore/mykeystore.jks
ssl.keystore.password=myStorePassword
# uncomment the following line if a separate key password is required for your keystore
#ssl.key.password=myKeyPassword
  • Configuring the HCL OneDB Explore agent to encrypt its web socket communication with SSL

    Once you have HTTPS enabled in the HCL OneDB Explore server, you must configure your OneDB Explore agents to encrypt their web socket communication with the HCL OneDB Explore server. If you use the Deploy Agent button in the UI to have the HCL OneDB Explore server automatically deploy the agent, it will automatically configure the agent to use SSL if the OneDB Explore server has HTTPS enabled.

    If you are starting your agents manually to enable SSL, set the ssl.enable property to true in your agent configuration file and then set the ssl.keystore.file property, the ssl.keystore.password property.

    Sample agent configuration file with SSL enabled:
    # host and port of the OneDB Explore server
server.host=localhost
server.port=8088

# The id of the OneDB database server as defined in OneDB Explore
ONEDB_SERVER.id=1

# SSL configuration
ssl.enable=true
ssl.keystore.file=/opt/OneDB Explore/mykeystore.jks
ssl.keystore.password=myStorePassword

How can I encrpyt the internal H2 database that the HCL OneDB Explore server uses?

The OneDB Explore server creates an H2 database to store its internal metadata. The H2 database file, h2db.mv.db will be created in the directory where you start the HCL OneDB Explore server. It will store information about the groups and servers you define in the tool (including the database server connection credentials), the monitoring and alerting profiles, and alerting incidents.

You can configure encryption for this H2 database file by setting the following properties in your OneDB Explore server configuration file. 
h2.encrypt.enable=true
h2.encyrpt.password=some_password

Optionally, you can also set the h2.encrypt.algorithm property if you want to set the encryption algorithm to something other than AES.

Note: If you want to encrypt the H2 database, you must set these properties the first time you start the OneDB Explore server when the H2 database is first created and initialized. You cannot change your H2 encryption configuration after the H2 database has been created. If you want to encrypt an H2 database that has already been created, you can use H2's ChangeFileEncryption tool as described in http://www.h2database.com/html/features.html#file_encryption or you can delete your h2db.mv.db file and have the OneDB Explore server recreate it from scratch the next time you start it.

How can I configure HCL OneDB Explore to use SSL when connecting to my database server?

If your database supports or requires SSL connections, you can setup SSL using the connection properties on the Add Server page when adding the server or on the server’s Setup page after it is created.

You must add the following connection properties in order to use SSL on HCL OneDB Explore’s JDBC connections to your database server:
SSLCONNECTION=true
SSL_TRUSTSTORE=/path/to/truststore
SSL_TRUSTORE_PASSWORD=password

The truststore/keystore file that you specify must be present both where HCL OneDB Explore server is running as well as the machine where the OneDB Explore agent is running.

For more information, see Adding Severs and Groups.