How to Secure Passwords

The information below is applicable for users upgrading their Connectivity Hub instance(s) to v2.2.0.

• Connectivity Hub does not encrypt passwords stored in configuration by default
• Encryption keys are stored in Environment variables in Connectivity Hub v2.2 and later.
• To secure passwords set the environment variable keys (see "Environment Variables," below)
• Users of Connectivity Hub versions older than v2.2.0, must use the steps below to upgrade their encryption key configuration

Environment Variables

If you are upgrading to Connectivity Hub v2.2, or if you modify the encryption keys below, on the machine running Connectivity Hub, you must set your environment variables, as described below:

Password encryption requires the following environment variables to be set:

• BAInsightSecurityEncriptionKey 
  • The value of this environment variable is used as key encryption algorithm.
  • Example: RgUkXp2s5v8y/B?E(H+KbPeShVmYq3t6
• BAInsightSecuritySaltKey
  • The value of this environment variable is used as a salt key for the encryption algorithm.
  • Note that BAInsightSecuritySaltKey value must be at least 8 characters. 
  • Example: TjWnZr4u7x!A%D*G-KaPdRgUkXp2s5v8
    
    
    
    

How to Add, Change, or Remove your Encryption and/or Salt Keys

When upgrading from Connectivity Hub v2.0-2.1 to v2.2, follow the steps below, regardless of whether you have set the environment variables above.

NOTE: If you change your environment variable encryption keys, you MUST REPEAT THE STEPS BELOW:

1. If you are upgrading to v2.2, before the upgrade, navigate to your Configuration Settings and leave the farm.
   
   1. Run this operation on all the servers hosting Connectivity Hub.
      
      
2. Create the two BA Security environment variables, listed above.
   1. Run this operation on all the servers hosting Connectivity Hub.
   2. If you have already created your environment variable security keys, but have changed them, you must still follow the rest of the steps here.
      
      
3. Recycle all Connectivity Hub websites application pools.
   
   
4. Navigate to your Configuration Settings.
   1. Join the farm
      
   2. Run this operation on all the servers hosting Connectivity Hub.
      
      
5. Manually re-enter all the configured passwords in the Connectivity Hub configuration,
   
   1. Within the Connectivity Hub UI, go to Tools>Configuration>Cache Databases:
      
      1. Click Edit
      2. If you're using SQL account to connect to database, enter your Configuration Settings Cache Database password
      3. Enter your password for all the cache databases
      4. Click Save
   2. Navigate to Configuration Settings>Target directory
      1. Enter your Target Directory password
         1. For Azure AD users, this is your Client Secret
      2. Click Save
   3. Navigate to Configuration Settings>Email Notifications
      1. Enter your Email address and password
      2. Click Save
   4. Navigate to Targets from the top navigation menu
      
      1. Select the Custom Settings tab.
      2. Enter any passwords used for your Targets
         1. For Azure AD users, enter the primary admin key
      3. Click Save
   5. Navigate to Connections from the top navigation menu
      
      1. Open each connection, one at a time, and select the General Settings tab:
         1. Enter the password(s) for all your connections
         2. Click Save
   6. Navigate to Datasets
      1. Open each Dataset connection, one at a time.
      2. Enter the password for each Dataset connection
      3. Click Save
   7. If you use Content Enrichment and specify a user account for authentication:
      1. Navigate to the Enrichment Pipeline integration
      2. Enter your user account Login and Password
      3. Click Save
         
         

Note: Note 2: If you use more BA Insight products that use this encryption mechanism, the same keys are used for all such products (for example, SmartHub and AutoClassifier).
If you don't know this information, please contact BA Insight Support Team. 

Note: Note 3: If you install Connectivity Hub in a multi-server environment, you need to set up the same environment variables on all the servers running Connectivity Hub. 

Note: Note 4: The priority of reading the values from the environment variables is User Environment Variables and then, if user variables are not set, the System Environment Variables are checked.
If you want to have multiple user accounts running multiple BA Insight products that use this encryption mechanism, you can either set up the environment variables for each of the users, or set up the system environment variables.
Note that System environment variables are accessible for all users.