Use > JMX Reference > Hardening Methods > How to Mark Sensitive Settings and Enable Storing Encrypted Data in the Database Using JMX

How to Mark Sensitive Settings and Enable Storing Encrypted Data in the Database Using JMX

UCMDB administrators can mark sensitive settings and enabling storing encrypted values for the sensitive settings in the database by using the following JMX methods added in the UCMDB:service=Settings Services category:

  • listSensitiveSettings - Returns the list of settings that are marked as sensitive.
  • markSettingAsSensitive - Marks a setting as sensitive. Usually sensitive settings contain confidential data. If a setting is marked as sensitive, its data will be encrypted when stored in the database.

    Note: A setting can be marked as sensitive only when its value has been changed. If a setting does not have a value or if the value is out of the box, then the setting cannot be marked as sensitive.
  • markSettingAsNonsensitive - Marks a setting as non-sensitive. Non-sensitive settings will have the value stored in plain text in database. This method is also used to decrypt the sensitive settings you encrypted using the markSettingAsSensitive method.

Note The following existing settings are already encrypted in the database and cannot be marked as sensitive:

  • ha.cluster.authentication.keystore.password
  • ha.cluster.authentication.shared.secret
  • ha.cluster.message.encryption.keystore.password
  • ssl.server.keystore.password
  • ssl.server.truststore.password

Starting from version 10.21, two new OOTB settings are marked as sensitive by default:

  • java.naming.ldap.search.password
  • jetty.connections.http.probe.basicAuthentication.defaultPassword

Starting from version 10.30, the following OOTB settings are encrypted by the master key all the time. They cannot be marked as non-sensitive, and will not display if you invoke the listSensitiveSettings JMX method:

  • java.naming.ldap.search.password
  • java.naming.provider.url