Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 8. Fuse Credential Store

8.1. Overview
Copiar enlace

Fuse Credential Store feature allows to include passwords and other sensitive strings as masked strings. These strings are resolved from an JBoss EAP Elytron Credential store .

The Credential store has built-in support for OSGI environment, specifically for Apache Karaf and for Java system properties.

You might have specified passwords, for example javax.net.ssl.keyStorePassword, as system properties in clear text this project allows you to specify these values as references to a credential store.

Fuse Credential Store allows to specify the sensitive strings as references to a value stored in Credential Store. The clear text value is replaced with an alias reference, for example CS:alias referencing the value stored under the alias in a configured Credential Store.

The convention CS:alias should be followed. The CS: in the Java System property value is a prefix and alias following it will be used for looking up the value.

8.2. Prerequisites
Copiar enlace

  • The Karaf container is running.

8.3. Setup Fuse Credential Store on Karaf
Copiar enlace

  1. Create a credential store using credential-store:create command: 

    karaf@root()> credential-store:create -a location=credential.store -k password="my password" -k algorithm=masked-MD5-DES
In order to use this credential store set the following environment variables
Variable                              | Value
------------------------------------------------------------------------------------------------------------------------
CREDENTIAL_STORE_PROTECTION_ALGORITHM | masked-MD5-DES
CREDENTIAL_STORE_PROTECTION_PARAMS    | MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI=
CREDENTIAL_STORE_PROTECTION           | Sf6sYy7gNpygs311zcQh8Q==
CREDENTIAL_STORE_ATTR_location        | credential.store
Or simply use this:
export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES
export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI=
export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q==
export CREDENTIAL_STORE_ATTR_location=credential.store
    Copy to Clipboard Toggle word wrap

    This should the file credential.store which is a JCEKS KeyStore for storing the secrets.

  2. Exit the Karaf container: 

    karaf@root()> logout
    Copy to Clipboard Toggle word wrap

  3. Set the environment variables presented when creating the credential store: 

    $ export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES
$ export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI=
$ export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q==
$ export CREDENTIAL_STORE_ATTR_location=credential.store
    Copy to Clipboard Toggle word wrap
    Important

    You are required to set the CREDENTIAL_STORE_* environment variables before starting the Karaf container.

  4. Start the Karaf container: 

    bin/karaf
    Copy to Clipboard Toggle word wrap

  5. Add your secrets to the credential store by using credential-store:store: 

    karaf@root()> credential-store:store -a javax.net.ssl.keyStorePassword -s "alias is set"
Value stored in the credential store to reference it use: CS:javax.net.ssl.keyStorePassword
    Copy to Clipboard Toggle word wrap

  6. Exit the Karaf container again: 

    karaf@root()> logout
    Copy to Clipboard Toggle word wrap

  7. Run the Karaf container again specifying the reference to your secret instead of the value: 

    $ EXTRA_JAVA_OPTS="-Djavax.net.ssl.keyStorePassword=CS:javax.net.ssl.keyStorePassword" bin/karaf
    Copy to Clipboard Toggle word wrap

The value of javax.net.ssl.keyStorePassword when accessed using System::getProperty should contain the string "alias is set".

Note

The EXTRA_JAVA_OPTS is one of the many ways to specify system properties. These system properties are defined at the start of the Karaf container.

Important

When the environment variables are leaked outside of your environment or intended use along with the content of the credential store file, your secretes are compromised. The value of the property when accessed through JMX gets replaced with the string "<sensitive>", but there are many code paths that lead to System::getProperty, for instance diagnostics or monitoring tools might access it along with any 3rd party software for debugging purposes.

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat