Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 8. Fuse Credential Store

8.1. Overview
Copy link

Fuse Credential Store feature allows to include passwords and other sensitive strings as masked strings. These strings are resolved from an JBoss EAP Elytron Credential store .

The Credential store has built-in support for OSGI environment, specifically for Apache Karaf and for Java system properties.

You might have specified passwords, for example javax.net.ssl.keyStorePassword, as system properties in clear text this project allows you to specify these values as references to a credential store.

Fuse Credential Store allows to specify the sensitive strings as references to a value stored in Credential Store. The clear text value is replaced with an alias reference, for example CS:alias referencing the value stored under the alias in a configured Credential Store.

The convention CS:alias should be followed. The CS: in the Java System property value is a prefix and alias following it will be used for looking up the value.

8.2. Prerequisites
Copy link

  • The Karaf container is running.

8.3. Setup Fuse Credential Store on Karaf
Copy link

  1. Create a credential store using credential-store:create command: 

    karaf@root()> credential-store:create -a location=credential.store -k password="my password" -k algorithm=masked-MD5-DES
In order to use this credential store set the following environment variables
Variable                              | Value
------------------------------------------------------------------------------------------------------------------------
CREDENTIAL_STORE_PROTECTION_ALGORITHM | masked-MD5-DES
CREDENTIAL_STORE_PROTECTION_PARAMS    | MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI=
CREDENTIAL_STORE_PROTECTION           | Sf6sYy7gNpygs311zcQh8Q==
CREDENTIAL_STORE_ATTR_location        | credential.store
Or simply use this:
export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES
export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI=
export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q==
export CREDENTIAL_STORE_ATTR_location=credential.store
    Copy to Clipboard Toggle word wrap

    This should the file credential.store which is a JCEKS KeyStore for storing the secrets.

  2. Exit the Karaf container: 

    karaf@root()> logout
    Copy to Clipboard Toggle word wrap

  3. Set the environment variables presented when creating the credential store: 

    $ export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES
$ export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI=
$ export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q==
$ export CREDENTIAL_STORE_ATTR_location=credential.store
    Copy to Clipboard Toggle word wrap
    Important

    You are required to set the CREDENTIAL_STORE_* environment variables before starting the Karaf container.

  4. Start the Karaf container: 

    bin/karaf
    Copy to Clipboard Toggle word wrap

  5. Add your secrets to the credential store by using credential-store:store: 

    karaf@root()> credential-store:store -a javax.net.ssl.keyStorePassword -s "alias is set"
Value stored in the credential store to reference it use: CS:javax.net.ssl.keyStorePassword
    Copy to Clipboard Toggle word wrap

  6. Exit the Karaf container again: 

    karaf@root()> logout
    Copy to Clipboard Toggle word wrap

  7. Run the Karaf container again specifying the reference to your secret instead of the value: 

    $ EXTRA_JAVA_OPTS="-Djavax.net.ssl.keyStorePassword=CS:javax.net.ssl.keyStorePassword" bin/karaf
    Copy to Clipboard Toggle word wrap

The value of javax.net.ssl.keyStorePassword when accessed using System::getProperty should contain the string "alias is set".

Note

The EXTRA_JAVA_OPTS is one of the many ways to specify system properties. These system properties are defined at the start of the Karaf container.

Important

When the environment variables are leaked outside of your environment or intended use along with the content of the credential store file, your secretes are compromised. The value of the property when accessed through JMX gets replaced with the string "<sensitive>", but there are many code paths that lead to System::getProperty, for instance diagnostics or monitoring tools might access it along with any 3rd party software for debugging purposes.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat