How to Secure Passwords

Note: If you use more BA Insight products that use this encryption mechanism, the same keys are used for all such products (for example, SmartHub and AutoClassifier).
If you don't know this information, please contact BA Insight Support Team. 

The information below is applicable for anyone upgrading their Connectivity Hub instance(s) to v3.0 from v2.2.

Encryption Overview

• Connectivity Hub does not encrypt passwords stored in configuration by default
• Encryption keys are stored in Environment variables in Connectivity Hub v2.2 and later versions.
• To secure passwords, you must set the environment variable keys (see "Environment Variables," below)

Encryption Steps by Connectivity Version

• If you are using Connectivity Hub v2.1, your Connectivity Hub passwords are not encrypted and you must follow all steps in all of the topics below to upgrade your encryption key configuration. 
• If you are using Connectivity Hub v2.2, you may have created encryption keys and configured Connectivity Hub. If so, your passwords are secure and you can skip this topic. If you have not created encryption keys, you must follow all of the topics below to upgrade your encryption key configuration

Environment Variables

If you are upgrading to Connectivity Hub v3.0 or if you modify the encryption keys, you must set your environment variables on the machine running Connectivity Hub, as described below:

Password encryption requires the following environment variables to be set:

• BAInsightSecurityEncriptionKey
  • The value of this environment variable is used as key encryption algorithm.
  • Example: RgUkXp2s5v8y/B?E(H+KbPeShVmYq3t6
• BAInsightSecuritySaltKey
  • The value of this environment variable is used as a salt key for the encryption algorithm.
  • Note that the value of BAInsightSecuritySaltKey must be at least 8 characters. 
  • Example: TjWnZr4u7x!A%D*G-KaPdRgUkXp2s5v8
    
    
    
    

How to Add, Change, or Remove your Encryption and/or Salt Keys

When upgrading from Connectivity Hub v2.1 to v3.0, follow the steps below, regardless of whether you have set the environment variables above.

Note: If you change your environment variable encryption keys, you must repeat the steps below.

1. Launch the Connectivity Hub application.
2. Select Tools > Configuration.
3. Click the button Leave the farm.
   
   1. Run this operation on all the servers hosting Connectivity Hub.
      
4. Create the two BA Security environment variables on your local machine as described above.
   1. Run this operation on all servers hosting Connectivity Hub.
   2. If you have already created your environment variable security keys, but have changed them, you must still follow the rest of the steps here.
      
5. Navigate to the IIS server hosting Connectivity Hub.
6. Recycle all Connectivity Hub web site application pools.
   
7. Navigate back to Connectivity Hub.
8. Go to your Configuration Settings (Tools > Configuration).
   1. Click the button "Join the farm."
      
   2. Run this operation on all the servers hosting Connectivity Hub.
      
9. Manually re-enter all the configured passwords in the Connectivity Hub configuration

10. Within the Connectivity Hub UI, go to Tools>Configuration>Cache Databases:
    

    1. Next to your cache database click the sprocket icon > Edit
    2. Authentication mode
       1. If you're using a Service Account, you do not have a password to enter.
       2. If you're using SQL account to connect to database, enter your Configuration Settings Cache Database password.
    3. Enter your password for all the cache databases
    4. Click Save

11. Next click the Target directory tab (Configuration Settings>Target)
    1. Enter your Target directory password, unless you are using a Service account (does not require a password).
       1. For Azure AD users, this is your Client Secret
    2. Click Save
12. Next click the Email notification tab (Configuration Settings>Email Notifications)
    1. Enter your Email address and password
    2. Click Save
13. Navigate to Targets from the top navigation menu
    
    1. Select a listed Target.
    2. The Target configuration page appears.
       
       
       
    3. Select the Custom Settings tab.
    4. Enter any passwords used for your Targets
       1. For Azure AD users, enter the primary admin key
    5. Click Save
14. Navigate to Connections from the top navigation menu
    
    1. Open each connection, one at a time, and select the General Settings tab:
       1. Enter the password(s) for all your connections
       2. Click Save
15. Navigate to Datasets
    1. Open each Dataset connection, one at a time.
    2. Enter the password for each Dataset connection
    3. Click Save
16. If you use Content Enrichment and specify a user account for authentication:
    1. Navigate to the Enrichment Pipeline integration
    2. Enter your user account Login and Password
    3. Click Save
       
       

Note: If you install Connectivity Hub in a multi-server environment, you need to set up the same environment variables on all the servers running Connectivity Hub. 

Note: The priority of reading the values from the environment variables is User Environment Variables and then, if user variables are not set, the System Environment Variables are checked.
If you want to have multiple user accounts running multiple BA Insight products that use this encryption mechanism, you can either set up the environment variables for each of the users, or set up the system environment variables.
Note that System environment variables are accessible for all users.