Use > JMX Reference > Hardening Methods > How to Mark Sensitive Settings and Enable Storing Encrypted Data in the Database Using JMX

How to Mark Sensitive Settings and Enable Storing Encrypted Data in the Database Using JMX

UCMDB administrators can mark sensitive settings and enabling storing encrypted values for the sensitive settings in the database by using the following JMX methods added in the UCMDB:service=Settings Services category:

  • listSensitiveSettings - Returns the list of settings that are marked as sensitive.
  • markSettingAsSensitive - Marks a setting as sensitive. Usually sensitive settings contain confidential data. If a setting is marked as sensitive, its data will be encrypted when stored in the database.

    Note: A setting can be marked as sensitive only when its value has been changed. If a setting does not have a value or if the value is out of the box, then the setting cannot be marked as sensitive.
  • markSettingAsNonsensitive - Marks a setting as non-sensitive. Non-sensitive settings will have the value stored in plain text in database. This method is also used to decrypt the sensitive settings you encrypted using the markSettingAsSensitive method.

How to mark a setting as sensitive

  1. On the UCMDB server, launch the Web browser and enter the following address: https://localhost:8443/jmx-console.
  2. Click UCMDB:service=Settings Services to open the JMX MBEAN View page.
  3. Click the markSettingAsSensitive method.
  4. Enter the name of the setting you would like to mark as sensitive.

  5. Click Invoke.

How to mark a setting as non-sensitive

  1. On the UCMDB server, launch the Web browser and enter the following address: https://localhost:8443/jmx-console.
  2. Click UCMDB:service=Settings Services to open the JMX MBEAN View page.
  3. Click the markSettingAsNonsensitive method.
  4. Enter the name of the setting you would like to mark as non-sensitive.

  5. Click Invoke.

How to view a list of sensitive settings

  1. On the UCMDB server, launch the Web browser and enter the following address: https://localhost:8443/jmx-console.
  2. Click UCMDB:service=Settings Services to open the JMX MBEAN View page.
  3. Click the listSensitiveSettings method.
  4. Click Invoke.

    A list of settings that are marked as sensitive is returned.

Note The following existing settings are already encrypted in the database and cannot be marked as sensitive:

  • ha.cluster.authentication.keystore.password
  • ha.cluster.authentication.shared.secret
  • ha.cluster.message.encryption.keystore.password
  • ssl.server.keystore.password
  • ssl.server.truststore.password

Starting from version 10.21, two new OOTB settings are marked as sensitive by default:

  • java.naming.ldap.search.password
  • jetty.connections.http.probe.basicAuthentication.defaultPassword

Starting from version 10.30, the following OOTB settings are encrypted by the master key all the time. They cannot be marked as non-sensitive, and will not display if you invoke the listSensitiveSettings JMX method:

  • java.naming.ldap.search.password
  • java.naming.provider.url