Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

2.4. Using Encrypted Property Placeholders

Overview
Copier lien

When securing a container it is undesirable to use plain text passwords in configuration files. They create easy to target security holes. One way to avoid this problem is to use encrypted property placeholders when ever possible.
Red Hat JBoss A-MQ includes an extension to OSGi Blueprint that enables you to use Jasypt to decrypt property placeholders in blueprint files. It requires that you:
  1. Create a properties file with encrypted values.
  2. Add the proper namespaces to your blueprint file.
  3. Import the properties using the Aries property placeholder extension.
  4. Configure the Jasypt encryption algorithm.
  5. Use the placeholders in your blueprint file.
  6. Ensure that the Jasypt features are installed into the JBoss A-MQ container.

Encrypted properties
Copier lien

Encrypted properties are stored in plain properties files. They are identified by wrapping them in the ENC() function as shown in Example 2.8, “Property File with an Encrypted Property”.

Example 2.8. Property File with an Encrypted Property

#ldap.properties
ldap.password=ENC(amIsvdqno9iSwnd7kAlLYQ==)
ldap.url=ldap://192.168.1.74:10389
Copy to Clipboard Toggle word wrap
Important
You will need to remember the password and algorithm used to encrypt the values. You will need this information to configure Jasypt.

Namespaces
Copier lien

To use encryted properties in your configuration, you will need to add the following namespaces to your blueprint file:
  • Aries extensions—http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0
  • Apache Karaf Jasypt—http://karaf.apache.org/xmlns/jasypt/v1.0.0
Example 2.9, “Encrypted Property Namespaces” shows a blueprint file with the required namespaces.

Example 2.9. Encrypted Property Namespaces

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
 	xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
 	xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0">
...
</blueprint>
Copy to Clipboard Toggle word wrap

Placeholder extension
Copier lien

In order to use encrypted property placeholders in a blueprint file you need to include an Aries property-paceholder element to you blueprint file. As shown in Example 2.10, “Aries Placeholder Extension”, it must come before the Jasypt configuration or the use of placeholders.

Example 2.10. Aries Placeholder Extension

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
 	xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
 	xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0">

  <ext:property-placeholder>
    <location>file:etc/ldap.properties</location>
  </ext:property-placeholder>

...
</blueprint>
Copy to Clipboard Toggle word wrap
The Aries property-paceholder element's location child specifies the location of the property file that contains the properties to use for the configuration. You can specify multiple files by using multiple location children.

Jasypt configuration
Copier lien

You configure Jasypt using the Apache Karaf property-placeholder element. It has one child, encoder, that contains the actual Jasypt configuration.
The encoder element's mandatory class attribute specifies the fully qualified classname of the Jasypt encryptor to use for decrypting the properties. The encoder element can take a property child that defines a Jasypt PBEConfig bean for configuring the encryptor.
For detailed information on how to configure the different Jasypt encryptors, see the Jasypt documentation.
Example 2.11, “Jasypt Blueprint Configuration” shows configuration for using the string encryptor and retrieving the password from an environment variable.

Example 2.11. Jasypt Blueprint Configuration

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
 	xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
 	xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0">

  <ext:property-placeholder>
    <location>file://ldap.properties</location>
  </ext:property-placeholder>

  <enc:property-placeholder>
    <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
      <property name="config">
        <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
          <property name="algorithm" value="PBEWithMD5AndDES" />
          <property name="passwordEnvName" value="FUSE_ENCRYPTION_PASSWORD" />
        </bean>
      </property>
    </enc:encryptor>
  </enc:property-placeholder>
...
</blueprint>
Copy to Clipboard Toggle word wrap

Placeholders
Copier lien

The placeholder you use for encrypted properties are the same as you use for regular properties. The use the form ${prop.name}.
Example 2.12, “Jasypt Blueprint Configuration” shows an LDAP JAAS realm that uses the properties file in Example 2.8, “Property File with an Encrypted Property”.

Example 2.12. Jasypt Blueprint Configuration

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
 	xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
 	xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0">

  <ext:property-placeholder>
    <location>file://ldap.properties</location>
  </ext:property-placeholder>

  <enc:property-placeholder>
    <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
      <property name="config">
        <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
          <property name="algorithm" value="PBEWithMD5AndDES" />
          <property name="passwordEnvName" value="FUSE_ENCRYPTION_PASSWORD" />
        </bean>
      </property>
    </enc:encryptor>
  </enc:property-placeholder>

  <jaas:config name="karaf" rank="1">
    <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
      initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
      debug=true
        connectionURL=${ldap.url}
        connectionUsername=cn=mqbroker,ou=Services,ou=system,dc=jbossfuse,dc=com
        connectionPassword=${ldap.password}
        connectionProtocol=
        authentication=simple
        userRoleName=cn
        userBase = ou=User,ou=ActiveMQ,ou=system,dc=jbossfuse,dc=com
        userSearchMatching=(uid={0})
        userSearchSubtree=true
        roleBase = ou=Group,ou=ActiveMQ,ou=system,dc=jbossfuse,dc=com
        roleName=cn
        roleSearchMatching= (member:=uid={1})
        roleSearchSubtree=true
    </jaas:module>
  </jaas:config>

</blueprint>
Copy to Clipboard Toggle word wrap
The ${ldap.password} placeholder will be replaced with the decrypted value of the ldap.password property from the properties file.

Installing the Jasypt features
Copier lien

By default, JBoss A-MQ does not have the Jasypt encryption libraries installed. In order to use encrypted property placeholders, you will need to install the jasypt-encryption feature using JBoss A-MQ's features:install command as shown in Example 2.13, “Installing the Jasypt Feature”.

Example 2.13. Installing the Jasypt Feature

JBossFuse:karaf@root> features:install jasypt-encryption
Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat