Using a Custom Password Provider
When extracting data from a database via JDBC, the connection is established using the credentials stored in the EMS to send requests.
While Celonis’ security policy prescribes that all used credentials are stored encrypted within the EMS, we do acknowledge that some of our customer’s security policies do not allow them to store these credentials in the cloud or use plain text passwords.
For these cases, a custom password management provider can be integrated.The custom password provider needs to be packaged as a jar file and added to the class path of the extractor application.
This document is prepared as a configuration guide to use a custom password provider in the EMS Data Integration.
Step 1: Define your custom password provider
The first step to define your custom password provider is to implement a custom password provider. For this you will need our connector-external-clients.jar library. With this library, you can implement a simple custom password provider like below:
package com.mycompany;
import cloud.celonis.connector.external.client.model.PasswordRequest;
import cloud.celonis.connector.external.client.model.PasswordResponse;
import cloud.celonis.connector.external.client.passwordprovider.CustomPasswordProvider;
public class MyConfidentialPasswordProvider implements CustomPasswordProvider {
public PasswordResponse getPassword(PasswordRequest passwordRequest) {
PasswordResponse passwordResponse = new PasswordResponse();
passwordResponse.setPassword(myInternalPasswordProvider.getPassword());
return passwordResponse;
}
} CustomPasswordProvider: can be used for providing the source system password or proxy passwords. In addition to this, you can provide passwords for multiple source systems. In order to differentiate between different types of password requests, you can use the PasswordRequest object.
PasswordRequest.passwordType: An enum of type PasswordType, describing the type of password requested. Possible values are SOURCE_SYSTEM,PROXY,INTERNAL_PROXY
PasswordRequest.host: This field will be populated with the Server Name you specified in the data connection if the passwordType is SOURCE_SYSTEM. If the passwordType is PROXY or INTERNAL_PROXY, this field will be populated with the host in the proxy configuration.
PasswordRequest.username: This field will be populated with the Username you specified in the data connection if the passwordType is SOURCE_SYSTEM. If the passwordType is PROXY or INTERNAL_PROXY, this field will be populated with the user in the proxy configuration.
PasswordRequest.password: This field will be populated with the Password you specified in the data connection if the passwordType is SOURCE_SYSTEM. If the passwordType is PROXY or INTERNAL_PROXY, this field will be populated with the password in the proxy configuration.
You can see a sample password provider that uses the PasswordRequest object to retrieve data for proxy and different source systems:
package com.mycompany;
import cloud.celonis.connector.external.client.model.PasswordRequest;
import cloud.celonis.connector.external.client.model.PasswordResponse;
import cloud.celonis.connector.external.client.passwordprovider.CustomPasswordProvider;
public class MyConfidentialPasswordProvider implements CustomPasswordProvider {
public PasswordResponse getPassword(PasswordRequest passwordRequest) {
PasswordResponse passwordResponse = new PasswordResponse();
if(passwordRequest.getPasswordType() == PasswordType.PROXY) {
passwordResponse.setPassword(myInternalPasswordProvider.getProxyPassword());
} else if (passwordRequest.getHost().equals("prod-server-01") && passwordRequest.getUsername().equals("celonis")) {
passwordResponse.setPassword(myInternalPasswordProvider.getPasswordForProdServer01());
} else if (passwordRequest.getHost().equals("prod-server-02") && passwordRequest.getUsername().equals("celonis")) {
passwordResponse.setPassword(myInternalPasswordProvider.getPasswordForProdServer02());
} else {
passwordResponse.setPasswordResponseStatus(PasswordResponseStatus.FAILED);
}
return passwordResponse;
}
}Step 2: Register your custom password provider to the JDBC Extractor Application
In order to register your custom password provider, you need to add the following configuration to your application-local.yml file:
credentialsProvider:
enabled: true
type: CUSTOM_CREDENTIALS_PROVIDER
CUSTOM_CREDENTIALS_PROVIDER:
passwordProviderImplementation: com.mycompany.MyConfidentialPasswordProvider
Second part is to package your custom password provider to a jar file and add it to the class path of the JDBC Extractor Application. This can be achieved with the following command:
java -Dloader.path=mycustom-password-provider-1.0-SNAPSHOT.jar -Dspring.config.location=application-local.yml -jar connector-jdbc.jar