Updating Encrypted Keys and Passwords

Security Considerations > Updating Encrypted Keys and Passwords

Overview

ThingWorx Analytics provides a script to simplify the task of updating keys and passwords that are encrypted for security. This encryption update script eliminates the manual work of copying randomly generated Key Store directory and file names and plugging them into a complex Java command. Instead, the script can be launched using a simple command.

The Script

The script, update-encrypted-password, is stored in the install bin directory when either the Analytics Server or the Platform Analytics installers are run.

Depending whether you are working in a Linux or Windows environment, the command uses the following syntax:

Linux – ./update-encrypted-password.sh <type> <new key>

Windows – update-encrypted-password.bat <type> <new key>

The following example assigns a password of astrust to the Analytics Server truststore:

./update-encrypted-password.sh ats astrust

This single script can be used to updated any of the encrypted keys or passwords in the following table. The script parameters required for each key or password are included in the table.

Key or Password

Description

Script Parameters

ThingWorx Analytics API Key

This API key is required to communicate with the internal ThingWorx Analytics APIs.

None

Analytics Server Keystore Password

This password is required to protect the Analytics Server keystore when TLS protections are enabled for Analytics Server.

type = aks

new key = <Analytics Server keystore password>

Analytics Server Truststore Password

Applies to both Analytics Server and Platform Analytics 9.2 and later.

This password is required to protect the Analytics Server truststore that is automatically generated during installation when TLS is enabled.

type = ats

new key = <Analytics Server truststore password>

ThingWorx AppKey

This AppKey is required for Analytics components to communicate with a ThingWorx server.

type = t

new key = <ThingWorx AppKey>

ThingWorx Truststore Password

Applies to both Analytics Server and Platform Analytics 9.2 and later.

This password is required to protect the ThingWorx truststore that is automatically generated during installation when TLS is enabled.

type = tts

new key = <ThingWorx truststore password>

RabbitMQ Password

This password is required to protect the RabbitMQ exchange which handles communication between Property Transform components.

type = r

new key = RabbitMQ password

RabbitMQ Keystore Password

This password is required to protect the RabbitMQ keystore when TLS protections are enabled for RabbitMQ.

type = rk

new key = <RabbitMQ keystore password>

You must also update the PropertyTransformSettings section of the platform-settings.json file in your ThingWorx installation directory. For more information see one of the following topics about configuring Property Transform settings in Thingworx:

• Linux procedure

• Windows procedure

RabbitMQ Truststore Password

This password is required to protect the RabbitMQ truststore when TLS protections are enabled for RabbitMQ.

type = rt

new key = <RabbitMQ truststore password>

• Linux procedure

• Windows procedure

ZooKeeper Keystore Password

This password is required to protect the ZooKeeper keystore when TLS protections are enabled for ZooKeeper.

type = zk

new key = <ZooKeeper keystore password>

You must also update this password in the zookeeper/conf/zoo.cfg located in your Analytics Server installation directory.

ZooKeeper Truststore Password

This password is required to protect the ZooKeeper truststore when TLS protections are enabled for ZooKeeper.

type = zt

new key = <ZooKeeper truststore password>

You must also update this password in the zookeeper/conf/zoo.cfg located in your Analytics Server installation directory.

Flink REST Truststore Password*

This password is required to protect the REST truststore where the root certificate authority is stored when TLS protections are enabled for Flink.

type = fts

new key = <Flink REST truststore password>

If Flink is installed locally, you must also update this plain text password in the flink-1.11/conf/flink-conf.yaml file located in your Platform Analytics installation directory.

Flink Client Keystore Password*

This password is required to protect the Client keystore when TLS protections are enabled for Flink.

type = fks

new key = <Flink Client keystore password>

Flink Client Key Password*

This password is required to protect the private key in the Client keystore when TLS protections are enabled for Flink.

type = fk

new key = <Flink Client key password>

Flink REST Keystore Password*

This password is required to protect the REST keystore when TLS protections are enabled for Flink. It does not need to be encrypted.

This password does not need to be encrypted, but if you change the password, you must also update the plain text password in the flink-1.11/conf/flink-conf.yaml file located in your Platform Analytics installation directory.

Flink REST Key Password*

This password is required to protect the private key in the Client keystore when TLS protections are enabled for Flink. It does not need to be encrypted.

To see some script examples and get information about the required parameters, run the command with a –h switch to display on screen help. For example: ./update-encrypted-password.sh -h

When running the encryption script to update passwords and keys in a keystore or truststore, maintain the same file names and paths. Only the key or password should change. Changing file names or paths is a more complex process and may require relaunching the installer to modify the installation.

*Flink Passwords on Ubuntu

If you are enabling TLS support for Flink on an Ubuntu operating system, the automated encryption script cannot be used. For a manual workaround, see Updating Flink Passwords on Ubuntu.

Was this helpful?