Encrypt Agent Property Value

Starting in Hyperic 4.6.6, the agent.properties file supports encrypted property values.

If, prior to first agent startup, you uncomment and assign a plain text value to agent.setup.camPword or agent.keystore.password, the agent will automatically encrypt the property value, as described in Hyperic Security Features and Recommendations.

If you prefer, you can encrypt these (and other, if desired) property values yourself.

About Where the Agent Finds Server Connection Data

Note that upon first successful connection to the Hyperic Server, a Hyperic Agent saves the credentials it used in its /data directory. Upon each restart, the agent looks first in that directory for server connection details. Hence, edits to the username and password (agent.setup.cam.Login and agent.setup.camPword) configured in agent.properties have no effect, if the agent has valid connection data its /data directory.

To add an encrypted entry to agent.properties, run the agent start script (AgentHome/bin/hq-agent.sh or AgentHome/bin/hq-agent.bat with the new set-property option, and supply the name of the property and the value you wish to encrypt.

Do not use set-property option on an agent upgraded to v4.6.6

The set-property option is only supported for newly installed agents. You cannot manually encrypt properties for an agent that you upgraded to 4.6.6 by pushing the 4.6.6 bundle from the Hyperic Server. Note however that if an upgraded agent's agent.properties file contains uncommented password properties with plaintext values, they will be automatically encrypted.

The command syntax is:

 
./hq-agent.sh set-property PropertyKey PropertyValue 

For example, to set the agent.setup.camPword to "hqadmin":

 
./bin/ hq-agent.sh set-property agent.setup.camPword hqadmin 

If the properties file does not already define the property, the property definition is added at the end of the agent.properties file; the encrypted value (not plain text) is shown. For example:

 
agent.setup.camPword=ENC(gaSh3I8gg1olL1EDHHJo/g==) 

The key that was used to encrypt the value is saved in AgentHome/conf/agent.scu.

If you encrypt another property value, the key in AgentHome/conf/agent.scu will be used.

Note that after you encrypt agent.setup.camPword (or any property that the agent uses to connect to the server) the agent must be able to access AgentHome/conf/agent.scu or it will fail to start up. Do not delete agent.scu.

If your agent deployment strategy involves distributed a standard agent.properties file to all agents, you must also distribute agent.scu. For more information, see Install Hyperic Agents in Volume.

If agent.scu is missing...

Iff a Hyperic Agent's AgentHome/conf/agent.scu file is missing, subsequent attempts to run the agent start script (hq-agent.sh or hq-agent.bat) with the setup option will fail. To resolve this problem, you must either:

  • Reinstall the agent, or

  • Perform these steps:

    1. Stop the agent.

    2. Delete its /data directory.

    3. Set agent.setup.camPword in AgentHome/conf/agent.properties to a plain text value.

    4. Start the agent.