Red Hat AMQ 6
As of February 2025, Red Hat is no longer supporting Red Hat AMQ 6. If you are using AMQ 6, please upgrade: Migrating to AMQ 7.Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
2.3. Using Encrypted Property Placeholders
Overview Link kopierenLink in die Zwischenablage kopiert!
How to use encrypted property placeholders Link kopierenLink in die Zwischenablage kopiert!
- Download and install Jasypt, to gain access to the Jasypt
listAlgorithms.sh
,encrypt.sh
anddecrypt.sh
command-line tools.NoteWhen installing the Jasypt command-line tools, don't forget to enable execute permissions on the script files, by runningchmod u+x ScriptName.sh
. - Choose a master password and an encryption algorithm. To discover which algorithms are supported in your current Java environment, run the
listAlgorithms.sh
Jasypt command-line tool, as follows:./listAlgorithms.sh DIGEST ALGORITHMS: [MD2, MD5, SHA, SHA-256, SHA-384, SHA-512] PBE ALGORITHMS: [PBEWITHMD5ANDDES, PBEWITHMD5ANDTRIPLEDES, PBEWITHSHA1ANDDESEDE, PBEWITHSHA1ANDRC2_40]
./listAlgorithms.sh DIGEST ALGORITHMS: [MD2, MD5, SHA, SHA-256, SHA-384, SHA-512] PBE ALGORITHMS: [PBEWITHMD5ANDDES, PBEWITHMD5ANDTRIPLEDES, PBEWITHSHA1ANDDESEDE, PBEWITHSHA1ANDRC2_40]
Copy to Clipboard Copied! Toggle word wrap Toggle overflow On Windows platforms, the script islistAlgorithms.bat
. JBoss A-MQ usesPBEWithMD5AndDES
by default. - Use the Jasypt encrypt command-line tool to encrypt your sensitive configuration values (for example, passwords for use in configuration files). For example, the following command encrypts the
PlaintextVal
value, using the specified algorithm and master passwordMasterPass
:./encrypt.sh input="PlaintextVal" algorithm=PBEWithMD5AndDES password=MasterPass
./encrypt.sh input="PlaintextVal" algorithm=PBEWithMD5AndDES password=MasterPass
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Create a properties file with encrypted values. For example, suppose you wanted to store some LDAP credentials. You could create a file,
etc/ldap.properties
, with the following contents:Example 2.6. Property File with an Encrypted Property
#ldap.properties ldap.password=ENC(amIsvdqno9iSwnd7kAlLYQ==) ldap.url=ldap://192.168.1.74:10389
#ldap.properties ldap.password=ENC(amIsvdqno9iSwnd7kAlLYQ==) ldap.url=ldap://192.168.1.74:10389
Copy to Clipboard Copied! Toggle word wrap Toggle overflow The encrypted property values (as generated in the previous step) are identified by wrapping in theENC()
function. - (Blueprint XML only) Add the requisite namespaces to your Blueprint XML file:
- Aries extensions—
http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0
- Apache Karaf Jasypt—
http://karaf.apache.org/xmlns/jasypt/v1.0.0
Example 2.7, “Encrypted Property Namespaces” shows a Blueprint file with the requisite namespaces.Example 2.7. Encrypted Property Namespaces
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"> ... </blueprint>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"> ... </blueprint>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Configure the location of the properties file for the property placeholder and configure the Jasypt encryption algorithm .
- Blueprint XMLExample 2.8, “Jasypt Blueprint Configuration” shows how to configure the
ext:property-placeholder
element to read properties from theetc/ldap.properties
file. Theenc:property-placeholder
element configures Jasypt to use thePBEWithMD5AndDES
encryption algorithm and to read the master password from theJASYPT_ENCRYPTION_PASSWORD
environment variable.Example 2.8. Jasypt Blueprint Configuration
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Spring XMLExample 2.9, “Jasypt Spring Configuration” shows how to configure Jasypt to use the
PBEWithMD5AndDES
encryption algorithm and to read the master password from theJASYPT_ENCRYPTION_PASSWORD
environment variable.TheEncryptablePropertyPlaceholderConfigurer
bean is configured to read properties from theetc/ldap.properties
file and to read properties from theio.fabric8.mq.fabric.ConfigurationProperties
class (which defines thekaraf.base
property, for example).Example 2.9. Jasypt Spring Configuration
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- Use the placeholders in your configuration file. The placeholders you use for encrypted properties are the same as you use for regular properties. Use the syntax
${prop.name}
. - Make sure that the
jasypt-encryption
feature is installed in the container. If necessary, install thejasypt-encryption
feature with the following console command:JBossFuse:karaf@root> features:install jasypt-encryption
JBossFuse:karaf@root> features:install jasypt-encryption
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Shut down the container, by entering the following command:
JBossFuse:karaf@root> shutdown
JBossFuse:karaf@root> shutdown
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Carefully restart the container and deploy your secure application, as follows:
- Open a command window (first command window) and enter the following commands to start the JBoss A-MQ container in the background:
export JASYPT_ENCRYPTION_PASSWORD="your super secret master pass phrase" ./bin/start
export JASYPT_ENCRYPTION_PASSWORD="your super secret master pass phrase" ./bin/start
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Open a second command window and start the client utility, to connect to the container running in the background:
./bin/client -u Username -p Password
./bin/client -u Username -p Password
Copy to Clipboard Copied! Toggle word wrap Toggle overflow WhereUsername
andPassword
are valid JAAS user credentials for logging on to the container console. - In the second command window, use the console to install your secure application that uses encrypted property placeholders. Check that the application has launched successfully (for example, using the
osgi:list
command to check its status). - After the secure application has started up, go back to the first command window and unset the
JASYPT_ENCRYPTION_PASSWORD
environment variable.ImportantUnsetting theJASYPT_ENCRYPTION_PASSWORD
environment variable ensures there will be minimum risk of exposing the master password. The Jasypt library retains the master password in encrypted form in memory.
Blueprint XML example Link kopierenLink in die Zwischenablage kopiert!
Example 2.10. Jasypt Example in Blueprint XML
${ldap.password}
placeholder is replaced with the decrypted value of the ldap.password
property from the etc/ldap.properties
properties file.