BigMemory 4.3.10 | Product Documentation | BigMemory Max Security Guide | Using Encrypted Keychains | Reading the Keychain Master Password from a File
 
Reading the Keychain Master Password from a File
Instead of manually entering the master keychain password at startup, you can set servers and clients to automatically read the password.
Note:
Cygwin (on Windows) is not supported for this feature.
Servers Automatically Reading the Keychain Password
1. Implement the interface com.terracotta.management.security.SecretProviderBackEnd (located in the JAR com.terracotta:security-keychain) to fetch a password from a given file. For example:
package com.foo;

import com.terracotta.management.security.SecretProviderBackEnd;

import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.IOException;

public class MySecretProvider implements SecretProviderBackEnd {
private byte[] bytes;

// This method reads the password into a byte array.
@Override
public void fetchSecret() {
try {
bytes = readPasswordFile("password.pw");
} catch (IOException ioe) {
throw new RuntimeException("Cannot read password from file", ioe);
}
}

private byte[] readPasswordFile(String filename) throws IOException {
FileInputStream fis = new FileInputStream(filename);
try {
byte[] buffer = new byte[64];
ByteArrayOutputStream baos = new ByteArrayOutputStream();

while (true) {
int read = fis.read(buffer);
if (read == -1) {
break;
}
baos.write(buffer, 0, read);
}

return baos.toByteArray();
} finally {
fis.close();
}
}

// This method returns the byte array containing the password.
@Override
public byte[] getSecret() {
return bytes;
}
}
2. Create a JAR containing your implementation (MySecretProvider), then copy it to the BigMemory Max server/lib directory.
3. Assuming the new JAR file is called my-secret-provider.jar, edit the start-tc-server script in the BigMemory Max server/bin as follows:
UNIX/LINUX
Change the line
-cp "${TC_INSTALL_DIR}/lib/tc.jar" \
to
-cp "${TC_INSTALL_DIR}/lib/tc.jarr:${TC_INSTALL_DIR}/lib/my-secret-provider.jar" \
MICROSOFT WINDOWS
Change the line
set CLASSPATH=%TC_INSTALL_DIR%\lib\tc.jar
to
set CLASSPATH=%TC_INSTALL_DIR%\lib\tc.jar;%TC_INSTALL_DIR%\lib\my-secret-provider.jar
4. Ensure that the server's configuration includes the <secret-provider> element specifying your implementation:
<security>
...
<keychain>
<url>/path/to/my/keychain</url>
<secret-provider>com.foo.MySecretProvider</secret-provider>
</keychain>
...
</security>
At startup, the server will read the keychain password from the file specified in your implementation.
For a simpler solution, you could instead hardcode the password:
package com.foo;

import com.terracotta.management.security.SecretProviderBackEnd;

public class MySecretProvider implements SecretProviderBackEnd {

// This method returns the byte array containing the password.
@Override
public byte[] getSecret() {
return new byte[] {'p', 'a', 's', 's', 'w', 'o', 'r', 'd'};
}

@Override
public void fetchSecret() {
}
}
Clients Automatically Reading the Keychain Password
You can set up Terracotta clients to read their keychain's master password in a similar way as for servers. Import org.terracotta.toolkit.SecretProvider and override fetchSecret() and getSecret() as shown above.
Instead of packaging the implementation in a JAR, specify your implementing class by using the system property com.terracotta.express.SecretProvider.