Our DBA wants to lock down the database password for security reasons to one person. We have explored some recommended solutions like PowerUp-crypt which is on the Talend knowledge base site. But we always come back to the same problem. That is, we have a team of 6 developers who have access to all the talend jobs and code. The code can decrypt the password file, but it needs the file password in order to do that. So all our developers can see the file password and we're still not secure. Am I missing something or is there a more preferred way to handle this situation? On a related note, if there is a solution, can that also be used when importing a schema in the metadata section? It seems to want real values for the connection.
I understand the problem is that Talend needs to decrypt the password to send it to the database. If it is decrypted then Talend developers can see it. I would put the solution back on the DBA. By what method may I authenticate to the database with an encrypted password or no password? Also may consider how you will support the system when the one person who knows the password is unavailable.
Usually we use a routine for it. The password is encrypted in the context variables and we decrypt it with a Java routine. One problem still remains, a password to decrypt is needed and this must be at any secure place in plain text. A very god method is to use the implicit context load. All jobs expects at a predefined place a file (see the configuration of the Implicit Context Load in the Job view->Extras) and this way the job gets its important values only at the production server where normally developers do not have access. This way you do not need to encrypt the passwords, because nobody has access to this file except the administrators. This is also the only reliable scenario to be sure a job will never run accidentally for the productive system.