Encrypt the Oozie Database User Password

Follow these steps to encrypt the password when Oozie uses a MySQL database as the Oozie data store (instead of the default Apache Derby database).
  1. Configure Oozie to use a MySQL database as described in Configure a MySQL Data Store for Oozie.
  2. [OPTIONAL] Export the Hadoop credential store password as a system variable:
    $ export HADOOP_CREDSTORE_PASSWORD=password
  3. Add oozie.service.jpaservice.jdbc.password to the jceks keystore:
    $ hadoop credential create oozie.service.jpaservice.jdbc.password -provider jceks://file/tmp/oozie.jceks
    Enter the password:
    Enter the password again:
    oozie.service.jpaservice.jdbc.password has been successfully created.
    org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
  4. Verify that the MySQL password was added:
    Keystore type: JCEKS
    Keystore provider: SunJCE
                
    Your keystore contains 1 entry
                
    Alias name: oozie.service.jpaservice.jdbc.password
    Creation date: Apr 11, 2018
    Entry type: SecretKeyEntry
  5. Once the jceks file is created, add the hadoop.security.credential.provider.path property to the oozie-site.xml file with the path to the jceks file. The jceks path location can be maprfs or a local file (local-fs).
    <property>
       <name>hadoop.security.credential.provider.path</name>
       <value>jceks://maprfs/user/mapr/oozie.jceks</value>
    </property>
  6. Update the password property to use ***** instead of a word-readable password:
    <property>
      <name>oozie.service.JPAService.jdbc.password</name>
      <value>*****</value>
    </property>