Encrypt the Oozie Database User Password

Follow these steps to encrypt the password when Oozie uses a MySQL database as the Oozie data store (instead of the default Apache Derby database).
  1. Configure Oozie to use a MySQL database as described in Configure a MySQL Data Store for Oozie.
  2. [OPTIONAL] Export the Hadoop credential store password as a system variable:
    $ export HADOOP_CREDSTORE_PASSWORD=password
  3. Add oozie.service.jpaservice.jdbc.password to the jceks keystore:
    $ hadoop credential create oozie.service.jpaservice.jdbc.password -provider jceks://path/to/oozie.jceks
    Enter the password:
    Enter the password again:
    oozie.service.jpaservice.jdbc.password has been successfully created.
    org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
  4. Verify that the MySQL password was added:
    Keystore type: JCEKS
    Keystore provider: SunJCE
    Your keystore contains 1 entry
    Alias name: oozie.service.jpaservice.jdbc.password
    Creation date: Apr 11, 2018
    Entry type: SecretKeyEntry
  5. Once the jceks file is created, add the hadoop.security.credential.provider.path property to the oozie-site.xml file with the path to the jceks file. The jceks path location can be maprfs or a local file (local-fs).
  6. Update the password property to use ***** instead of a word-readable password: