August 5, 2019 at 4:30 pm #26166
when we export the configuration through Amster, if there is any password attribute we get it encrypted in the exported JSON file (assuming we have the transport key — sms.transport.key in the JCEKS keystore)
Now during the time of importing the configuration (while standing up another instance of AM in the same site OR different stand-alone AM), can I send the same encrypted password-value as-is through amster import-config command.
(assuming that I have already imported the SAME sms.transport.key in the JCEKS keystore of this AM instance)
Do I have to first modify the exported JSON file, take out the encrypted value of password and replace it with the plain-text value and then finally import the JSON through import-config command ?
Thanks.August 8, 2019 at 11:10 am #26176
As long as the sms.transport.key is present and refers to the same cryptographic key, you should not need to update the JSON files, you should be able to import them as is.August 8, 2019 at 3:29 pm #26179
Thanks Peter. That is logical and my expectation too.
So in that case,
if the password-value is different for the AM-instance where I am trying to import the exported JSON files then do I have to first manually delete the encrypted password from the exported JSON file and replace it with
1. plain-text value of the new password
2. out-of-band encrypt the new password with the sms.transport.key and then replace the old encrypted value in the JSON file with this new encrypted value
Thanks.August 8, 2019 at 3:39 pm #26182
Trying to import one deployment’s configuration into a different deployment (having different sms.transport.key suggests that we are talking about different deployments) is not a great idea. Each environment should have its own set of password/configuration.
You are correct nonetheless, either you’ll have to remove the -encrypted attributes from the JSON export and manually enter the passwords in clear text, or somehow generate the new encrypted password values.August 8, 2019 at 5:29 pm #26184
Thanks Peter. Appreciate your quick response.
So both options are acceptable by AM, meaning
1. I can send the password in clear text
2. generate the new encrypted password
I have one question each for both scenarios.
If I pick the first one, how would AM differentiate the plain-text from encrypted-on. After all both are Strings that amster is sending out to AM through import-config command ?
If I pick second option, does amster have commands to encrypt the plain-text ?
Thanks.August 8, 2019 at 5:57 pm #26186
Oh my bad Peter !!!
If I am sending encrypted value then I use that element of exported JSON eg.,
userpassword-encrypted” : “AAAAA0FFUwIQioF2gBZ843fbyIwzyxix5d3grwITdnaEYKTawfXO7d/X6UMAECvPbg==
If I am using plain-text value then I use other one
userpassword” : “change it”
So the only piece of puzzle is, how can I encrypt any plain-text using certain sms.transport.key so that AM can decrypt it and then take it further to the config-store.
Thanks.August 8, 2019 at 9:31 pm #26188
There is no tool or amster command for this. The encryption key only exists at the AM server instances, so your best bet is to configure the password in the new deployment once (manually or using the plain-text approach), and then export the amster configuration including the encrypted passwords.August 8, 2019 at 11:13 pm #26192
Thanks Peter. Almost there.
So if we do not want to store the plain-text password in the JSON file, then I would import the JSON with NULL value. for eg., “userpassword” : null
Once import-config is successfully finished, I will open the console and fill up password field.
So though the password could be required config field, I believe amster import-config will configure the whole AM instance without it.
You must be logged in to reply to this topic.