Hi CUBA,
Is it possible to encrypt cuba.dataSource.password at app.properties file?
I want to hide the password for production deployment. I found we can set it by using “tomcat jdbc password encryption”
Do you have a guide in your documentation and how to bring tomcat to use HikariCP
Regards,
CK
Hi,
Not sure what do you mean by “bring tomcat to use HikariCP”.
CUBA 7.2. uses HikariCP by default.
If you switch your data store’s “define jdbc datasource in” property to “JNDI”, this can be done in production app.properties by setting cuba.dataSourceProvider = jndi - then you will be able to use datasources provided natively by Tomcat and follow any advice from the internet, e.g. this:
Note that CUBA team does not recommend encrypting password while storing decryption password nearby encrypted data, because this is “security through obscurity”. It does not add more security to the deployed system. You should use it only if you are forced to (by boss, by security audit etc).
Read more here: Password - Apache Tomcat - Apache Software Foundation
The recommended way of providing production database password for the CUBA 7.2 deployed application is to set the password with environment variable on the target server. Thus you will avoid storing sensitive parameters in the source code or in the artifact being deployed.
E.g. set in production app.properties:
cuba.dataSourceProvider=application
cuba.dataSource.username=${CUBA_DB_USER}
cuba.dataSource.password=${CUBA_DB_PASSWORD}
cuba.dataSource.dbName=${CUBA_DB_NAME}
cuba.dataSource.host=${CUBA_DB_HOST}
cuba.dataSource.port=
And set environment variables on the target production server:
CUBA_DB_HOST=127.0.0.1
CUBA_DB_NAME=sales
CUBA_DB_USER=admin
CUBA_DB_PASSWORD=admin
Hi Alex,
Thank you for your recommendation. 
Regards
CK