# Use the encrypted properties editor

Contrast is bundled with several configuration files in the $CONTRAST_HOME/data/conf directory that are intentionally encrypted on first creation for security. You can modify some of these files through workflows in Contrast. This table shows on-premises files that are encrypted by default. Name Contents ad.properties Information for connecting and configuring Contrast to Active Directory groups for authentication. ldap.properties Information for connecting and configuring Contrast to LDAP groups for authentication. database.properties Host and connection information for configuring communication between Contrast and MySQL. cassandra.properties Host and connection information for configuring communication between Contrast and Cassandra. saml.properties SAML keystore information. Contrast is also bundled with a small tool for decrypting these files and for assisting with configuration. For example, when running Contrast, you may need to access the values of encrypted properties files outside of the application interface, or automate the updating of some property such as automated bind password rotation. 1. Find the decryption tool in the$CONTRAST_HOME/bin directory.

• Linux: the file is a simple shell script called edit-properties.

• Windows: the file is a Windows command file called edit-properties.cmd.

2. Run the tool from a command prompt.

$CONTRAST_HOME/bin/edit-properties -e$CONTRAST_HOME/data/esapi -f $CONTRAST_HOME/data/conf/ad.properties 3. You must have inputs to view and/or edit an encrypted property. The primary inputs that you need to view or edit the file are: • The path to ESAPI.properties • The target file for editing Get help by executing edit-properties with no arguments: contrast@EOP-TeamServer:~/contrast/bin$ ./edit-properties

usage: property-editor
-c,--comment <text>      The comment for the top of the file
-e,--esapi <path>        The path to the ESAPI.properties file
-f,--targetFile <file>   The properties file to edit
-o,--print-value         Print out the value of the property and exit
-p,--property <name>     The name of the property to set
-v,--value <val>         The value of the property
4. This is an example of editing an encrypted file in Contrast. Load the file to edit You will see all of the existing values encrypted in the file. Use the flags listed above to view or edit a single property.

contrast@TeamServer:~/contrast/bin$./edit-properties -e ../data/esapi/ -f ../data/conf/ad.properties ad.userDn : cn=Directory Manager ad.identity.attribute.name : mail ad.password : NotaRealPassword ad.nested.groups.enabled : false ad.group.users : cn=ContrastUsers,cn=Users,dc=contrastsecurity,dc=com ad.group.admin : cn=ContrastAdmins,cn=Users,dc=contrastsecurity,dc=com ad.url : ldap://localhost:389 ad.base : dc=contrastsecurity,dc=com 5. You can also retrieve the unencrypted value of a property (like a shell script to back up the database) by passing another parameter to the tool: $CONTRAST_HOME/bin/edit-properties \
-e $CONTRAST_HOME/data/esapi \ -f$CONTRAST_HOME/data/conf/database.properties \
-o
$CONTRAST_HOME/bin/edit-properties \ -e$CONTRAST_HOME/data/esapi \
-c "Updating JDBC Password"