View Only

 Pentaho metadata editor tool standalone - exported XMI files hold connection password in plain text

Subhashish Mitra's profile image
Subhashish Mitra posted 06-05-2023 00:59

Hello Experts,

I am trying to use Pentaho metadata editor in standalone mode(not the entire PDI) - 9.3 version. When I design my DB schema/views while being connected to my DB and export the same to XMI files, the connection strings along with username/password are stored in plain text which seems to be as a security vulnerability.

The User console of course masks the password field but the file does not.

Snapshot of my XMI file:

    <CWMRDB:Catalog = 'a21' name = 'DBTestConnection'>
        <CWM:TaggedValue = 'a22' tag = 'DATABASE_SERVER' value = ''/>
        <CWM:TaggedValue = 'a23' tag = 'DATABASE_TYPE' value = 'GENERIC'/>
        <CWM:TaggedValue = 'a24' tag = 'DATABASE_ACCESS' value = 'Native'/>

        <CWM:TaggedValue = 'a27' tag = 'DATABASE_USERNAME' value = 'SomeAdminUser'/>
        <CWM:TaggedValue = 'a28' tag = 'DATABASE_PASSWORD' value = 'S0mePsw0rd'/>//visible in plain text.

Is there any way/step that I can use to mask the password in XMI file while it is generated and the tool still would recognize the masked/encrypted password value later during import of the XMI file? (any configuration in the tool)

Any help will be great.



John Craig's profile image
John Craig


Your best option is to define a JNDI definition of your database in


and reference the JNDI name rather than set the explicit DB connection information in your metadata model. Using data source names, rather than explicit connection information is the appropriate way to resolve this problem. It also makes it much simpler to deploy to different environments (such as test & production) if all your development, test, and production environments have their connection information defined indirectly and all Pentaho tools simply use the JNDI name. It may take some trouble to set this up initially, but you'll be very glad you did in the long run. And, by separating the definition of the datasource from the files exported by the various tools, you'll simplify your life considerably.

You can probably also define a Connection in the Pentaho User Console -> Manage Data Sources, then import your XMI file and associate it with the Connection name and re-export the file--but I have not tried that.

Hope that helps,


Stephen Donovan's profile image
Stephen Donovan

The majority of Penthao connections can handle Penthao encrypted passwords.

Just take the output that command and use that full string (including the 'Encrpypted') as your password.  Docs don't mention it, but I believe you can use it on other text fields like user and database name.  

I can do some testing later this week on the scope of fields you can use this to replace plain text.  Wanted to give you the basics first.