HPE Community
HPE Morpheus Enterprise
1828238 Members
2217 Online
109975 Solutions
New Discussion

Encryption on Morpheus Configuration parameters

 
AungKT
Regular Advisor

‎12-04-2022 08:18 PM

‎12-04-2022 08:18 PM

Encryption on Morpheus Configuration parameters

Hello,

I deployed 3 nodes of HA with an external database (Amazon Aurora) on the AWS cloud platform. Regarding data encryption, I applied it at the first node by following this guidance ( Additional Configuration Options — Morpheus Docs documentation)

I rebooted the instance after I performed the steps - Generate ENC Strings for morpheus-secrets.json.
When I checked the secrets.json file , it was updated (Mysql root password, ops password, Rabbitmq and elastic search) except morpheus_password under MySQL. I can access the Morpheus URL after reconfiguring the Morpheus configuration and rebooting the instance.

So, I did additional steps by following " Generate ENC Strings for custom morpheus.rb entries “. In this step, I encrypted the morpheus_password of MySQL and then reconfigure, and reboot it.
When Instance back, I can’t access the Morpheus URL and it says " https status 404 not found”.

So, question is that does Morpheus encryption support for external services or not?

I also noticed that information on the Morpheus website is below and would like to understand it clearly.

{ Service configuration settings are not applicable for externalized services such as external mysql/percona, elasticsearch or rabbitmq clusters. Only connection settings are applicable for external services. }

Thank you,
Aung

0 Kudos
Reply
5 REPLIES 5
AungKT
Regular Advisor

‎12-08-2022 03:38 PM

‎12-08-2022 03:38 PM

Re: Encryption on Morpheus Configuration parameters

Yes, I will also make sure of that. Thanks you @sjabro.

0 Kudos
Reply
Not applicable

‎12-08-2022 09:50 AM

‎12-08-2022 09:50 AM

Re: Encryption on Morpheus Configuration parameters

I believe it is also referring to the actual service configurations as well. If you have an external MySQL cluster, you would set parameters like mysql[‘max_allowed_packet’] = 67108864 in the external system and not in the Morpheus RB file since the MySQL cluster would be independently configured and managed

Reply
rbmorph
HPE Pro

‎12-07-2022 12:32 PM

‎12-07-2022 12:32 PM

Re: Encryption on Morpheus Configuration parameters

Hi @aungkyawthu

I tested the above from our docs link you provided and it appears to be working without issue for me on a new install of 5.5.2 and an external mysql DB.

The steps I took

  • Run “morpheus-ctl get-crypto-string migrate” to get the encrypted values for the morpheus-secrets.json file
  • Update the morpheus-secrets.json with the equivalent values from the migrate command.
  • Ran reconfigure and a Morpheus restart to confirm working

That took care of the embedded services now we need to encrypt the external services.

In this example lets say my MYSQL password is password123 so I will need to run the below to get the encrypted value.

  • morpheus-ctl get-crypto-string string password123

  • This will produce the encrypted string something like $XXXXXXsdfv4ds90098sdsade==

  • We now need to add this to the rb file so my rb file would look something like this.

     mysql['enable'] = false
 mysql['host'] = 'x.x.x.x'
 mysql['morpheus_db'] = 'morpheus'
 mysql['morpheus_db_user'] = 'morpheus'
 mysql['morpheus_password'] = 'ENC($XXXXXXsdfv4ds90098sdsade==)'

  • Save the file, run a reconfigure and restart morpheus-ui

  • My environment comes up without issue.

The question on this statement below in the docs.

{ Service configuration settings are not applicable for externalized services such as external mysql/percona, elasticsearch or rabbitmq clusters. Only connection settings are applicable for external services. }

This is stating that the password in the morpheus-secrets.json are only for the embedded services so if you are using any external services defined in the morpheus.rb file then adding the passwords here for those services will not do anything. Those will need to be done with the custom string command morpheus-ctl get-crypto-string string and then added to the morpheus.rb file on your external services definition.

Reply
AungKT
Regular Advisor

‎12-06-2022 08:29 PM

‎12-06-2022 08:29 PM

Re: Encryption on Morpheus Configuration parameters

Hello @cbunge Any comments please ?

0 Kudos
Reply
AungKT
Regular Advisor

‎12-07-2022 08:15 PM

‎12-07-2022 08:15 PM

Re: Encryption on Morpheus Configuration parameters

Hello @rboyd,

Thank you so much for your feedback. Previously, I also did as you provided but only different is I used suffix ( full command: morpheus-ctl get-crypto-string string $clear_text ‘$suffix’ ) and added " app[‘encrypted_key_suffix’] = ‘key’ " morpheus.rb file. I will try again without suffix as you tested.

Again, thank you so much :smiley:

Regards,
Aung

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.