Administrate Security

---

With PLOSSYS CLI you can:

• Create API Keys for Remote Site Clients

• Encrypt passwords used for Access to SAP oData Print API or SAP Spool for Windows or Linux

This page gives you a short breakdown of the avaliable security commands. For in-depth description, refer to the use cases listed above.

---

Requirements

For the requirements for using PLOSSYS CLI, refer to PLOSSYS CLI.

---

Commands

Usage: plossys security [options] [command]

Options:
  -V, --version               output the version number
  --consul <value>            consul url (default: "https://localhost:8500")
  --insecure                  accept invalid https certificate from Consul server
  --token <value>             ACL token used to access Consul's key-/value store
  --verbose                   Verbose mode. It prints detailed messages.
  -h, --help                  display help for command

Commands:
  createApiKey [options]      Creates and shows the authentication codes (Api Key, 
                              Decryption Secret, IV and Encrypted Api Key) for the 
                              mainland and islands.
  createPwdSecret [options]   Creates a new secret for encoding passwords.
  encryptPwd [options] <pwd>  Encrypts the given password using the secret from the 
                              specified file or the secret provided as an option.
  help [command]              display help for command

For all commands, pipe | can be used with the output but needs to be escaped by -, e. g. -|.

---

createApiKey

Creates and shows the authentication codes (Api Key, Decryption Secret, IV and Encrypted Api Key) for the mainland and islands. The default behavior requires Consul and the mandatory parameters must be set to SERVICE_DISCOVERY=consul and AUTH_TYPE=apiKey. Mainland codes are stored automatically on Consul in JSON format. Island codes are not stored anywhere and must be sent manually to the island administrators. If the island codes are lost, they must be recreated. If the --local option is set, the codes are always recreated, printed on console and not stored anywhere.

Usage: plossys security createApiKey [options]

Options:

• --local

  Prints output keys on console and ignores Consul.

• --mainlandSecret <mainlandSecret>

  Secret key to encrypt and decrypt island API keys on mainland site. This option is ignored, if --local is used and a DECRYPTION_SECRET is already set in Consul.

• --islands <islands>

  Island names separated by comma. Example: --islands island1,island2,island3

• --islandsFile <islandsFile>

  YAML file with islands list. The --islands option overrides this option.

• --yaml

  Generates the output codes on console in YAML format. The default is JSON.

Examples:

• plossys security createApiKey --islands Alabasta --insecure --yaml > alabasta.txt

  Creates an API key for the remote site Alabasta using Consul and stores the YAML output in the file alabasta.txt. If DECRYPTION_SECRET already exists, the stored one is used for the API key creation. If CLIENTS already exists, the new site is added to the key. Otherwise both keys are created. For prior existing remote sites, the output only shows the API key but no further site specific authentication codes.

• plossys security createApiKey --islands Alabasta,Pucci --local --yaml

  A new DECRYPTION_SECRET is generated. Creates API keys for the remote sites Alabasta and Pucci. The output (DECRYPTION_SECRET, CLIENTS and site specific authentication codes) are printed in YAML format to STDOUT. No Consul keys are created or changed.

• plossys security createApiKey --mainlandSecret 12345678901234567890123456789012 --islandsFile islands.yaml --local --yaml

  The provided secret is used to create API keys for the sites provided via islands.yaml. No Consul keys are created or changed. The output in YAML format is printed to STDOUT.

• plossys security createApiKey --mainlandSecret 12345678901234567890123456789012 --islandsFile islands.yaml

  Reads the islands.yaml file. If no prior created DECRYPTION_SECRET or CLIENTS exist in Consul, the DECRYPTION_SECRET provided as mainlandSecret is used to create API keys for each site listed in the file. Otherwise the provided secret is ignored. The output is printed STDOUT.

Example - islands.yml

- Alabasta
- Water Seven
- Pucci
- Bartigo

Example - output when Consul is used and prior sites exist

>plossys security createApiKey --islands Alabasta,Pucci --insecure
✓ Successfully created the security codes for 'Alabasta,Pucci'
✓ Auth Codes:

{
    "mainland": {
        "DECRYPTION_SECRET": "811276721cc416aa53362076c450594ca1cfb90c599fe52758e34db33680e388",
        "CLIENTS": {
            "Water Seven": {
                "IV": "aea52cd273d373c5383a3a952a9291c1",
                "ENCRYPTED_API_KEY": "77517236e8d2942b822cb2532fa61f1e2b9ad936d097d8ebd31d76d1e562b7e54a3cb8792a394082d9c6f4442d4d6f30"
            },
            "Alabasta": {
                "IV": "cbb21e92578082ae22ddd5c9764fef57",
                "ENCRYPTED_API_KEY": "6eba0b2b2b9c6182147832f1bf6f567a96ed556640479bc5dde61c1f4c0ba3bfc2e709b33272b9468e045aa9c0b8322f"
            },
            "Pucci": {
                "IV": "7304f17fc0c9d855e506b902f51127aa",
                "ENCRYPTED_API_KEY": "80acaaad55337b75bc0e99420b341bc40a3d5237fd00392c42b04022d2157d6da5b8ea8ea27e73fcad9a84f68ad7aba8"
            }
        }
    },
    "islands": {
        "Alabasta": {
            "DECRYPTION_SECRET": "8ea9424f757219415b9272aa2f771cb062e4a90f48f1c761dadc44038b97dc5b",
            "IV": "13e7281492bdd1704b4e5bc972241bf3",
            "API_KEY": "e4c294e43d482e4ca61be3b553efa8fd5de79b09eb322be26bb652d5edf12c96",
            "ENCRYPTED_API_KEY": "0e042488ae9284edddf7cd6918f19bf2b46cba5adda5b4bd147bf0637445c6c291216fa4191c57ac718fcc1ce7dcfed3"
        },
        "Pucci": {
            "DECRYPTION_SECRET": "c3b0b52333458add2265854f38fcac4d05f51d7b1f0123ee196acc9a33b98339",
            "IV": "3b3befd6ac16debc28732d65c5ae5007",
            "API_KEY": "5a31177c93a5ecdff8afe39cd6265a8e906a3612ca5db3bc8c7e37d2e46e8626",
            "ENCRYPTED_API_KEY": "3f75b48d6d1f4fa61668dd7cb8fa17192412aaf70a4adc69774fca24e8e0f76d7518f900a0acd30127de66065b00d063"
        },
        "Water Seven": {
            "API_KEY": "c921736d20b8c4f7583c10acd8b137473d4f547822d2798ffeafbcf808049637"
        }
    }
}

Water Seven is the prior existing site. The output only contains its API key. The new sites Alabasta and Pucci have been added to the CLIENTS key in Consul.

---

createPwdSecret

createPwdSecret creates a new secret for encoding passwords. The secret is either printed to the console or saved to a file.

Usage: plossys security createPwdSecret [--secretFile <fileName> ]

Options:

• --secretFile

  Name of file to save secret to, optional

Examples:

• plossys security createPwdSecret

  Prints a new secret ot console, like "6ad58d51dcee6518f044ffbdd5d03d37".

• plossys security createPwdSecret --secretFile secret.json

  Saves the secret as JSON to the file secret.json.

Hint - environment keys SECRET and SECRET_FILE

For storing the secret, the two environment keys SECRET and SECRET_FILE are available. The Output Engine services will need one of those to decrypt the used passwords.

---

encryptPwd

encryptPwd encrypts the given password using the secret from the specified file or the secret provided as an option

Usage: plossys security encryptPwd [options] <pwd>

Arguments:

• pwd: the pasword to encrypt.

Options:

• --secretFile <fileName>

  JSON file containing the secret

• --secret <secret>

  Secret used for encryption

Either --secretFile or --secret must be provided.

Examples:

• plossys security encryptPwd myPassword --secret 6ad58d51dcee6518f044ffbdd5d03d37

  Prints the encrypted password on console, like "381e3f31a28e9a477bb3f80dcdb4bdba8bdef26f0c71fc15"

• plossys security encryptPwd myPassword --secretFile secret.json

  Reads secret from file and prints the encrypted password on console, like "381e3f31a28e9a477bb3f80dcdb4bdba8bdef26f0c71fc15"

Hint - environment keys SECRET and SECRET_FILE

Before encrypting a password, check whether a SECRET or SECRET_FILE has already been specified. The decryption only works with the correct secret.

---

help

help displays the help for the command.

Usage: plossys ssecurity help [command]

---