Enhance credential security

Starting with ACLI 11.0 introduces secure properties to enhance credential security.

Secure properties improve the security of ACLI configuration files by storing sensitive information like passwords in an encrypted format.

How secure properties work

Secure properties use a key-store solution with password-based encryption (PBE). Your credentials are stored securely and cannot be accessed as plain text.

Using secure properties is optional. However, once enabled, ACLI requires the password before running any actions.

You can add secure properties when creating a site connection with the /sites add command in the ACLI Shell.

Appfire Support cannot recover data from secure properties files. If you forget the password to a file, you must manually rename or delete it in your user home directory.

Before secure properties

Previously, ACLI resolved variables in the acli.properties file by searching other property values, Java system properties, and runtime environment variables.

Secure properties add a fourth location for variable resolution, primarily used for values with a variable name containing the secret: prefix such as ${secret:myJiraPassword}.

How to use secure properties

To start using secure properties, follow these steps:

Create a secure properties file: Start by creating a secure properties file.

Reference secrets in the acli.properties file: Incorporate secrets (like passwords) into the acli.properties file.

Unlock the secure properties file.

Create a secure properties file

When you create the secure properties file (named .acli.keystore), this is stored in your home directory. Each ACLI user on a given system has their own secure properties file.

Customize the secure properties file path

Use the environment variable ACLI_SECURE_PROPERTIES to change the secure properties file path. This is helpful if you have multiple installations of ACLI or need to work with multiple secure properties files.

When adding a secure property for the first time, ACLI asks for the secret's value to be stored. Then, it asks for a new password for the secure properties file.

To create your secure properties file, use the setSecureProperty action, as in the example below:

$ acli system setSecureProperty --name my.secret --secret -
Enter secure value: <secret value prompt>
Secure properties file does not yet exist. Creating...
Enter new secure properties password: <new password prompt>
Confirm secure properties password: <new password prompt>
Secure properties file created.
Value for key 'foo' set in secure properties file.

Reference secrets in the acli.properties file

When the secure properties file is used, it can provide values to acli.properties using substitution variables. These variables are similar to how you refer to environment variables or other properties, using the ${my.variable} syntax.

To refer to secure properties file values, use a syntax such as ${secret:my.secret}. Note the addition of the secret: prefix.

To remove this requirement, set the environment variable ACLI_SECURE_PROPERTIES_SAFE_MODE to false.

When disabled, if a variable name isn't found in acli.properties or the environment, the secure properties file is consulted. This might trigger an interactive prompt requesting a password.

Unlock the secure properties file

If a secure properties file exists and acli.properties contains variables using the secret: prefix, you must enter your password to unlock the file each time you run an ACLI command. This includes when you start the ACLI Shell.

Usually, this means ACLI requests your secure properties file password before proceeding (or reads it from stdin if you are not connected to a terminal).

To bypass this prompt, set the environment variable ACLI_SECURE_PROPERTIES_PASSWORD with your password as the value.