AW: Jasypt Encryption Configuration in Apache Kara
Hi,
we use camel and cfg files for parametrizing the camel and encode the secrets
in those cfg files.
For this we modify the camel property reader in our camel blueprint inside of
the camel context:
jasyptRef requested as service being provided for the same blueprint context
PropertiesParser provided by another bundle, globally
So the decryption depends on different service interfaces, according where you
need decrypted values.
Hope that helps a bit.
BR
Karsten
Von: Jean-Luc .
Gesendet: Mittwoch, 15. Mai 2024 09:02
An: user@karaf.apache.org
Betreff: Jasypt Encryption Configuration in Apache Kara
Hello everyone,
I have recently set up Jasypt encryption with my Apache Karaf 4.4.1 instance. I
was able to successfully encrypt and retrieve data in my Blueprint XML files
using the following configuration:
jasypt-encryptor.xml (placed in the deploy folder):
file:etc/jasypt-mp.properties
This setup allows me to decrypt data in my Blueprint XML files:
ldap-module.xml (also in the deploy folder):
connection.url = ${connection.url}
connection.username= ${ldap.user}
connection.password= ${ldap.password}
This configuration allows me to retrieve my encrypted properties correctly
(e.g., ldap.password="ENC(encrypted_password)").
However, I am facing difficulties applying the same ENC(...) method in my
org.ops4j.pax.web.cfg file to decrypt keystore and truststore passwords. It
appears that I haven't specified anywhere that the decryptor should be used for
these configurations. I am experiencing a similar issue with my
org.ops4j.datasource-x.cfg files, which register as datasources in my Apache
Karaf instance.
I've reviewed the Karaf documentation and other resources but haven't found a
clear solution to this problem. Does anyone have experience or insights on how
to resolve this issue? Specifically, how can I configure my setup to use the
Jasypt decryptor for these .cfg files?
Thank you in advance for your help!
Best regards
Re: Jasypt Encryption Configuration in Apache Kara
śr., 15 maj 2024 o 10:14 Jean-Luc . napisał(a):
> Hello,
>
> Thanks for your quick reply. I'm afraid it's beyond my capabilities to do
> this unfortunately, I'll give it a try though.
>
> Does this mean that most people simply use sensitive data in clear text
> and secure access to it and to the karaf console? Maybe I'm missing
> something obvious?
>
I mean even if you encrypt the content of a *.cfg file, you need a
decryption key and PBE password stored somewhere (else)... Unless you start
your server and stick an PKCS11 card to your secure hardware slot, you can
get the fragile data anyway...
regards
Grzegorz Grzybek
>
> Thanks in advance
>
> Best Regards
> Jean-Luc
> --
> *De :* Grzegorz Grzybek
> *Envoyé :* mercredi 15 mai 2024 09:39
> *À :* user@karaf.apache.org
> *Objet :* Re: Jasypt Encryption Configuration in Apache Kara
>
> Hello
>
> I don't have clear answer for you...
> Simply mind that "" is a blueprint feature which
> allows to postprocess "bean definitions" before these are used to create
> instances of beans. At the stage of such postprocessing, values can be
> replaced with decrypted values.
>
> This is completely different comparing to `*.cfg` files. These files are
> property files processed by Felix Fileinstall before using them to populate
> Configuration Admin configs.
> Here you also have a stage where files are read, but not yet passed to
> Configuration Admin. There are ways to do that, but Karaf (afaik) doesn't
> provide such solution out of the box.
>
> Namely - you can register an OSGi service implementing
> "org.apache.felix.cm.PersistenceManager" interface, which has methods like:
>
>- org.apache.felix.cm.PersistenceManager#load
>- org.apache.felix.cm.PersistenceManager#store
>
> this is the only way you can "hook-in" and do the encryption/decryption
> manually.
>
> kind regards
> Grzegorz Grzybek
>
> śr., 15 maj 2024 o 09:02 Jean-Luc . napisał(a):
>
> Hello everyone,
> I have recently set up Jasypt encryption with my Apache Karaf 4.4.1
> instance. I was able to successfully encrypt and retrieve data in my
> Blueprint XML files using the following configuration:
> jasypt-encryptor.xml (placed in the deploy folder):
>
>
>
>
> class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
>
> class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
> value="PBEWithHmacSHA256AndAES_256"/>
>
>
>
>
>
>
>
>
>
> interface="org.jasypt.encryption.StringEncryptor"/>
>
>
>
> file:etc/jasypt-mp.properties
>
>
>
>
> This setup allows me to decrypt data in my Blueprint XML files:
> ldap-module.xml (also in the deploy folder):
>
>
>
>
>
> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
> flags="required">
> connection.url = ${connection.url}
> connection.username= ${ldap.user}
> connection.password= ${ldap.password}
>
>
>
>
> placeholder-suffix="|"/>
>
> keystorePassword="$|keystore.password|"/>
>
> interface="org.jasypt.encryption.StringEncryptor"/>
>
>
>
>
> This configuration allows me to retrieve my encrypted properties correctly
> (e.g., ldap.password="ENC(encrypted_password)").
> However, I am facing difficulties applying the same ENC(...) method in my
> org.ops4j.pax.web.cfg file to decrypt keystore and truststore passwords.
> It appears that I haven't specified anywhere that the decryptor should be
> used for these configurations. I am experiencing a similar issue with my
> org.ops4j.datasource-x.cfg files, which register as datasources in my
> Apache Karaf instance.
> I've reviewed the Karaf documentation and other resources but haven't
> found a clear solution to this problem. Does anyone have experience or
> insights on how to resolve this issue? Specifically, how can I configure my
> setup to use the Jasypt decryptor for these .cfg files?
> Thank you in advance for your help!
> Best regards
>
>
>
>
RE: Jasypt Encryption Configuration in Apache Kara
Hello,
Thanks for your quick reply. I'm afraid it's beyond my capabilities to do this
unfortunately, I'll give it a try though.
Does this mean that most people simply use sensitive data in clear text and
secure access to it and to the karaf console? Maybe I'm missing something
obvious?
Thanks in advance
Best Regards
Jean-Luc
De : Grzegorz Grzybek
Envoyé : mercredi 15 mai 2024 09:39
À : user@karaf.apache.org
Objet : Re: Jasypt Encryption Configuration in Apache Kara
Hello
I don't have clear answer for you...
Simply mind that "" is a blueprint feature which
allows to postprocess "bean definitions" before these are used to create
instances of beans. At the stage of such postprocessing, values can be replaced
with decrypted values.
This is completely different comparing to `*.cfg` files. These files are
property files processed by Felix Fileinstall before using them to populate
Configuration Admin configs.
Here you also have a stage where files are read, but not yet passed to
Configuration Admin. There are ways to do that, but Karaf (afaik) doesn't
provide such solution out of the box.
Namely - you can register an OSGi service implementing
"org.apache.felix.cm.PersistenceManager" interface, which has methods like:
* org.apache.felix.cm.PersistenceManager#load
* org.apache.felix.cm.PersistenceManager#store
this is the only way you can "hook-in" and do the encryption/decryption
manually.
kind regards
Grzegorz Grzybek
śr., 15 maj 2024 o 09:02 Jean-Luc .
mailto:emporio@hotmail.com>> napisał(a):
Hello everyone,
I have recently set up Jasypt encryption with my Apache Karaf 4.4.1 instance. I
was able to successfully encrypt and retrieve data in my Blueprint XML files
using the following configuration:
jasypt-encryptor.xml (placed in the deploy folder):
file:etc/jasypt-mp.properties
This setup allows me to decrypt data in my Blueprint XML files:
ldap-module.xml (also in the deploy folder):
connection.url = ${connection.url}
connection.username= ${ldap.user}
connection.password= ${ldap.password}
This configuration allows me to retrieve my encrypted properties correctly
(e.g., ldap.password="ENC(encrypted_password)").
However, I am facing difficulties applying the same ENC(...) method in my
org.ops4j.pax.web.cfg file to decrypt keystore and truststore passwords. It
appears that I haven't specified anywhere that the decryptor should be used for
these configurations. I am experiencing a similar issue with my
org.ops4j.datasource-x.cfg files, which register as datasources in my Apache
Karaf instance.
I've reviewed the Karaf documentation and other resources but haven't found a
clear solution to this problem. Does anyone have experience or insights on how
to resolve this issue? Specifically, how can I configure my setup to use the
Jasypt decryptor for these .cfg files?
Thank you in advance for your help!
Best regards
Re: Jasypt Encryption Configuration in Apache Kara
Hello
I don't have clear answer for you...
Simply mind that "" is a blueprint feature which
allows to postprocess "bean definitions" before these are used to create
instances of beans. At the stage of such postprocessing, values can be
replaced with decrypted values.
This is completely different comparing to `*.cfg` files. These files are
property files processed by Felix Fileinstall before using them to populate
Configuration Admin configs.
Here you also have a stage where files are read, but not yet passed to
Configuration Admin. There are ways to do that, but Karaf (afaik) doesn't
provide such solution out of the box.
Namely - you can register an OSGi service implementing
"org.apache.felix.cm.PersistenceManager" interface, which has methods like:
- org.apache.felix.cm.PersistenceManager#load
- org.apache.felix.cm.PersistenceManager#store
this is the only way you can "hook-in" and do the encryption/decryption
manually.
kind regards
Grzegorz Grzybek
śr., 15 maj 2024 o 09:02 Jean-Luc . napisał(a):
> Hello everyone,
> I have recently set up Jasypt encryption with my Apache Karaf 4.4.1
> instance. I was able to successfully encrypt and retrieve data in my
> Blueprint XML files using the following configuration:
> jasypt-encryptor.xml (placed in the deploy folder):
>
>
>
>
> class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
>
> class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
> value="PBEWithHmacSHA256AndAES_256"/>
>
>
>
>
>
>
>
>
>
> interface="org.jasypt.encryption.StringEncryptor"/>
>
>
>
> file:etc/jasypt-mp.properties
>
>
>
>
> This setup allows me to decrypt data in my Blueprint XML files:
> ldap-module.xml (also in the deploy folder):
>
>
>
>
>
> className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
> flags="required">
> connection.url = ${connection.url}
> connection.username= ${ldap.user}
> connection.password= ${ldap.password}
>
>
>
>
> placeholder-suffix="|"/>
>
> keystorePassword="$|keystore.password|"/>
>
> interface="org.jasypt.encryption.StringEncryptor"/>
>
>
>
>
> This configuration allows me to retrieve my encrypted properties correctly
> (e.g., ldap.password="ENC(encrypted_password)").
> However, I am facing difficulties applying the same ENC(...) method in my
> org.ops4j.pax.web.cfg file to decrypt keystore and truststore passwords.
> It appears that I haven't specified anywhere that the decryptor should be
> used for these configurations. I am experiencing a similar issue with my
> org.ops4j.datasource-x.cfg files, which register as datasources in my
> Apache Karaf instance.
> I've reviewed the Karaf documentation and other resources but haven't
> found a clear solution to this problem. Does anyone have experience or
> insights on how to resolve this issue? Specifically, how can I configure my
> setup to use the Jasypt decryptor for these .cfg files?
> Thank you in advance for your help!
> Best regards
>
>
>
>
Jasypt Encryption Configuration in Apache Kara
Hello everyone,
I have recently set up Jasypt encryption with my Apache Karaf 4.4.1 instance. I
was able to successfully encrypt and retrieve data in my Blueprint XML files
using the following configuration:
jasypt-encryptor.xml (placed in the deploy folder):
file:etc/jasypt-mp.properties
This setup allows me to decrypt data in my Blueprint XML files:
ldap-module.xml (also in the deploy folder):
connection.url = ${connection.url}
connection.username= ${ldap.user}
connection.password= ${ldap.password}
This configuration allows me to retrieve my encrypted properties correctly
(e.g., ldap.password="ENC(encrypted_password)").
However, I am facing difficulties applying the same ENC(...) method in my
org.ops4j.pax.web.cfg file to decrypt keystore and truststore passwords. It
appears that I haven't specified anywhere that the decryptor should be used for
these configurations. I am experiencing a similar issue with my
org.ops4j.datasource-x.cfg files, which register as datasources in my Apache
Karaf instance.
I've reviewed the Karaf documentation and other resources but haven't found a
clear solution to this problem. Does anyone have experience or insights on how
to resolve this issue? Specifically, how can I configure my setup to use the
Jasypt decryptor for these .cfg files?
Thank you in advance for your help!
Best regards
