Use the encrypted properties editor

Contrast is bundled with several configuration files in the $CONTRAST_HOME/data/conf directory that are intentionally encrypted on first creation for security. You can modify some of these files through workflows in Contrast.

This table shows on-premises files that are encrypted by default.

Name

Contents

ad.properties

Information for connecting and configuring Contrast to Active Directory groups for authentication.

ldap.properties

Information for connecting and configuring Contrast to LDAP groups for authentication.

database.properties

Host and connection information for configuring communication between Contrast and MySQL.

cassandra.properties

Host and connection information for configuring communication between Contrast and Cassandra.

saml.properties

SAML keystore information.

Contrast is also bundled with a small tool for decrypting these files and for assisting with configuration. For example, when running Contrast, you may need to access the values of encrypted properties files outside of the application interface, or automate the updating of some property such as automated bind password rotation.

  1. Find the decryption tool in the $CONTRAST_HOME/bin directory.

    • Linux: the file is a simple shell script called edit-properties.

    • Windows: the file is a Windows command file called edit-properties.cmd.

  2. Run the tool from a command prompt.

    $CONTRAST_HOME/bin/edit-properties -e $CONTRAST_HOME/data/esapi -f $CONTRAST_HOME/data/conf/ad.properties
  3. You must have inputs to view and/or edit an encrypted property. The primary inputs that you need to view or edit the file are:

    • The path to ESAPI.properties 

    • The target file for editing

    Get help by executing edit-properties with no arguments:

    contrast@EOP-TeamServer:~/contrast/bin$ ./edit-properties 
    
    usage: property-editor
     -c,--comment <text>      The comment for the top of the file
     -e,--esapi <path>        The path to the ESAPI.properties file
     -f,--targetFile <file>   The properties file to edit
     -o,--print-value         Print out the value of the property and exit
     -p,--property <name>     The name of the property to set
     -v,--value <val>         The value of the property
  4. This is an example of editing an encrypted file in Contrast. Load the file to edit You will see all of the existing values encrypted in the file. Use the flags listed above to view or edit a single property.

    Add comments to note any change you make to the file, as it can be useful in auditing.

    contrast@TeamServer:~/contrast/bin$ ./edit-properties -e ../data/esapi/ -f ../data/conf/ad.properties
    
    ad.userDn                                         : cn=Directory Manager
    ad.identity.attribute.name                        : mail
    ad.password                                       : NotaRealPassword
    ad.nested.groups.enabled                          : false
    ad.group.users                                    : cn=ContrastUsers,cn=Users,dc=contrastsecurity,dc=com
    ad.group.admin                                    : cn=ContrastAdmins,cn=Users,dc=contrastsecurity,dc=com
    ad.url                                            : ldap://localhost:389
    ad.base                                           : dc=contrastsecurity,dc=com
  5. You can also retrieve the unencrypted value of a property (like a shell script to back up the database) by passing another parameter to the tool:

    $CONTRAST_HOME/bin/edit-properties \
       -e $CONTRAST_HOME/data/esapi \
       -f $CONTRAST_HOME/data/conf/database.properties \
       -p jdbc.username \
       -o

    Or, update the value of a property in the file by passing a different set of arguments:

    $CONTRAST_HOME/bin/edit-properties \
       -e $CONTRAST_HOME/data/esapi \
       -f $CONTRAST_HOME/data/conf/database.properties \
       -p jdbc.username \
       -v joe.blow \
       -c "Updating JDBC Password"