Chapter 8. Fuse Credential Store
8.1. Overview
Fuse Credential Store feature allows to include passwords and other sensitive strings as masked strings. These strings are resolved from an JBoss EAP Elytron Credential store .
The Credential store has built-in support for OSGI environment, specifically for Apache Karaf and for Java system properties.
You might have specified passwords, for example javax.net.ssl.keyStorePassword, as system properties in clear text this project allows you to specify these values as references to a credential store.
Fuse Credential Store allows to specify the sensitive strings as references to a value stored in Credential Store. The clear text value is replaced with an alias reference, for example CS:alias referencing the value stored under the alias in a configured Credential Store.
The convention CS:alias should be followed. The CS: in the Java System property value is a prefix and alias following it will be used for looking up the value.
8.2. Prerequisites
- The Karaf container is running.
8.3. Setup Fuse Credential Store on Karaf
Create a credential store using
credential-store:createcommand:karaf@root()> credential-store:create -a location=credential.store -k password="my password" -k algorithm=masked-MD5-DES In order to use this credential store set the following environment variables Variable | Value ------------------------------------------------------------------------------------------------------------------------ CREDENTIAL_STORE_PROTECTION_ALGORITHM | masked-MD5-DES CREDENTIAL_STORE_PROTECTION_PARAMS | MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI= CREDENTIAL_STORE_PROTECTION | Sf6sYy7gNpygs311zcQh8Q== CREDENTIAL_STORE_ATTR_location | credential.store Or simply use this: export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI= export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q== export CREDENTIAL_STORE_ATTR_location=credential.store
This should the file
credential.storewhich is a JCEKS KeyStore for storing the secrets.Exit the Karaf container:
karaf@root()> logout
Set the environment variables presented when creating the credential store:
$ export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES $ export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI= $ export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q== $ export CREDENTIAL_STORE_ATTR_location=credential.store
ImportantYou are required to set the
CREDENTIAL_STORE_*environment variables before starting the Karaf container.Start the Karaf container:
bin/karaf
Add your secrets to the credential store by using
credential-store:store:karaf@root()> credential-store:store -a javax.net.ssl.keyStorePassword -s "alias is set" Value stored in the credential store to reference it use: CS:javax.net.ssl.keyStorePassword
Exit the Karaf container again:
karaf@root()> logout
Run the Karaf container again specifying the reference to your secret instead of the value:
$ EXTRA_JAVA_OPTS="-Djavax.net.ssl.keyStorePassword=CS:javax.net.ssl.keyStorePassword" bin/karaf
The value of javax.net.ssl.keyStorePassword when accessed using System::getProperty should contain the string "alias is set".
The EXTRA_JAVA_OPTS is one of the many ways to specify system properties. These system properties are defined at the start of the Karaf container.
When the environment variables are leaked outside of your environment or intended use along with the content of the credential store file, your secretes are compromised. The value of the property when accessed through JMX gets replaced with the string "<sensitive>", but there are many code paths that lead to System::getProperty, for instance diagnostics or monitoring tools might access it along with any 3rd party software for debugging purposes.
