Hi,
we use camel and cfg files for parametrizing the camel and encode the secrets
in those cfg files.
For this we modify the camel property reader in our camel blueprint inside of
the camel context:
<c:propertyPlaceholder id="properties"
location="blueprint:placeholderfile" propertiesParserRef="jasyptRef" />
jasyptRef requested as service being provided for the same blueprint context
<reference id="jasyptRef"
interface="org.apache.camel.component.properties.PropertiesParser"
filter="(alias=jasyptPropertiesParser)" />
PropertiesParser provided by another bundle, globally
<!-- this is for inside of the camel context-->
<!-- use the service like this inside the camel context right after the
camel context xml element -->
<!-- <reference id="jasyptRef"
interface="org.apache.camel.component.properties.PropertiesParser"
filter="(alias=jasyptPropertiesParser)" />-->
<!-- <propertyPlaceholder id="properties"
location="blueprint:my.camel.core" propertiesParserRef="jasypt" />-->
<bean id="jasypt"
class="org.apache.camel.component.jasypt.JasyptPropertiesParser">
<property name="password" value="${secret}" />
</bean>
<service id="my.core.jasypt" ref="jasypt"
interface="org.apache.camel.component.properties.PropertiesParser">
<service-properties>
<entry key="alias" value="jasyptPropertiesParser" />
</service-properties>
</service>
<!-- this is the service for all karaf supported bundles which look up a
StringEncryptor, like pax.jdbc-->
<bean id="stringEncryptorBean"
class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="config" ref="encryptorConfig" />
</bean>
<service ref="stringEncryptorBean"
interface="org.jasypt.encryption.StringEncryptor">
<service-properties>
<entry key="alias" value="jasyptStringEncryptor" />
</service-properties>
</service>
<!-- use this in your blueprint to decrypt placeholders outside of
camel context
add the enc namespace to the context properties XML file, see at the top
of this XML:
xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0";
http://karaf.apache.org/xmlns/jasypt/v1.0.0
https://karaf.apache.org/xmlns/jasypt/v1.0.0 -->
<!-- add before/after your default cm properties the enc declaration-->
<!-- <enc:property-placeholder encryptor-ref="stringEncryptor" />-->
<!-- lookup service StringEncryptor in osgi XML with-->
<!-- <reference id="stringEncryptor"
interface="org.jasypt.encryption.StringEncryptor"
filter="(alias=jasyptStringEncryptor)" />-->
So the decryption depends on different service interfaces, according where you
need decrypted values.
Hope that helps a bit.
BR
Karsten
________________________________
Von: Jean-Luc . <emporio....@hotmail.com>
Gesendet: Mittwoch, 15. Mai 2024 09:02
An: user@karaf.apache.org <user@karaf.apache.org>
Betreff: Jasypt Encryption Configuration in Apache Kara
Hello everyone,
I have recently set up Jasypt encryption with my Apache Karaf 4.4.1 instance. I
was able to successfully encrypt and retrieve data in my Blueprint XML files
using the following configuration:
jasypt-encryptor.xml (placed in the deploy folder):
<?xml version="1.0" encoding="UTF-8"?>
<blueprint ...>
<bean id="standardPBEStringEncryptor"
class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="config">
<bean
class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
<property name="algorithm" value="PBEWithHmacSHA256AndAES_256"/>
<property name="password" value="$[jasypt.master.password]"/>
<property name="ivGenerator">
<bean class="org.jasypt.iv.RandomIvGenerator"/>
</property>
</bean>
</property>
</bean>
<!-- Register the Encryptor Service -->
<service ref="standardPBEStringEncryptor"
interface="org.jasypt.encryption.StringEncryptor"/>
<!-- Property Placeholder Configuration -->
<ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]">
<ext:location>file:etc/jasypt-mp.properties</ext:location>
</ext:property-placeholder>
</blueprint>
This setup allows me to decrypt data in my Blueprint XML files:
ldap-module.xml (also in the deploy folder):
<?xml version="1.0" encoding="UTF-8"?>
<blueprint ...>
<jaas:config name="karaf" rank="1">
<jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
connection.url = ${connection.url}
connection.username= ${ldap.user}
connection.password= ${ldap.password}
</jaas:module>
</jaas:config>
<cm:property-placeholder persistent-id="p_ldap"/>
<cm:property-placeholder persistent-id="p_stores" placeholder-prefix="$|"
placeholder-suffix="|"/>
<ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
<jaas:keystore name="ks" path="file:$[karaf.etc]/server/truststore.jks"
keystorePassword="$|keystore.password|"/>
<reference id="encryptorService"
interface="org.jasypt.encryption.StringEncryptor"/>
<enc:property-placeholder encryptor-ref="encryptorService"/>
</blueprint>
This configuration allows me to retrieve my encrypted properties correctly
(e.g., ldap.password="ENC(encrypted_password)").
However, I am facing difficulties applying the same ENC(...) method in my
org.ops4j.pax.web.cfg file to decrypt keystore and truststore passwords. It
appears that I haven't specified anywhere that the decryptor should be used for
these configurations. I am experiencing a similar issue with my
org.ops4j.datasource-x.cfg files, which register as datasources in my Apache
Karaf instance.
I've reviewed the Karaf documentation and other resources but haven't found a
clear solution to this problem. Does anyone have experience or insights on how
to resolve this issue? Specifically, how can I configure my setup to use the
Jasypt decryptor for these .cfg files?
Thank you in advance for your help!
Best regards
