Password Security in TDI

How do you handle passwords in TDI? Be default, they are stored in plain text in your solution's config file. You probably don't want that and there are a couple of things you can do.

Set up a Password Store

This works at a project level. IBM is somewhat vague about this, but the idea is that anytime a connector or other component has a password field defined, the config editor will automatically keep passwords outside your config.Where it keeps them, depends on you setting up a 'Password Repository' in your project. This is usually a properties file and you set it up as described here in IBM's Misc Config File Options. After you do this, upon the first edit of a password field, you can click on it and you'll see it's as if you had set it to use a property.

You can in theory use a central file, or connector other than the default file system connector. This would allow you to share the data between all your projects as long as you configured a password store in them.

Add Protected Properties

This works at a solution level. IBM details here how one can add properties to your file, with the prefix {protect}-.This is more convenient than a Password Store because it can span multiple projects, allowing you to pull standard service account passwords out of individual connectors and projects.

Encrypt Your Entire Project

You can also encrypt your whole config file as detailed here.

Final Considerations

Don't forget that this is only as safe as your keystore. The password for the default keystore is widely documented. Consider changing that.


If you see errors when using the local file:
2013-03-11 11:49:03,424 ERROR [] - CTGDKE039E Error occurred when creating IBM Tivoli Directory Integrator Property store. Property store: System-Properties Exception: java.sql.SQLNonTransientConnectionException: : Error connecting to server localhost on port 1527 with message Connection refused.

2013-03-11 11:49:03,426 ERROR [] - CTGDKE022E No available property stores to read key 'Solution-Properties:some..jdbc.username'.

You may need to check that your property store is set to listen to the localhost interface, as well as additional ones you may have configures. See the Remote Access page for more information