此内容没有您所选择的语言版本。

Chapter 8. Fuse Credential Store


8.1. Overview

Fuse Credential Store feature allows to include passwords and other sensitive strings as masked strings. These strings are resolved from an JBoss EAP Elytron Credential store .

The Credential store has built-in support for OSGI environment, specifically for Apache Karaf and for Java system properties.

You might have specified passwords, for example javax.net.ssl.keyStorePassword, as system properties in clear text this project allows you to specify these values as references to a credential store.

Fuse Credential Store allows to specify the sensitive strings as references to a value stored in Credential Store. The clear text value is replaced with an alias reference, for example CS:alias referencing the value stored under the alias in a configured Credential Store.

The convention CS:alias should be followed. The CS: in the Java System property value is a prefix and alias following it will be used for looking up the value.

8.2. Prerequisites

  • The Karaf container is running.

8.3. Setup Fuse Credential Store on Karaf

  1. Create a credential store using credential-store:create command:

    karaf@root()> credential-store:create -a location=credential.store -k password="my password" -k algorithm=masked-MD5-DES
    In order to use this credential store set the following environment variables
    Variable                              | Value
    ------------------------------------------------------------------------------------------------------------------------
    CREDENTIAL_STORE_PROTECTION_ALGORITHM | masked-MD5-DES
    CREDENTIAL_STORE_PROTECTION_PARAMS    | MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI=
    CREDENTIAL_STORE_PROTECTION           | Sf6sYy7gNpygs311zcQh8Q==
    CREDENTIAL_STORE_ATTR_location        | credential.store
    Or simply use this:
    export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES
    export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI=
    export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q==
    export CREDENTIAL_STORE_ATTR_location=credential.store

    This should the file credential.store which is a JCEKS KeyStore for storing the secrets.

  2. Exit the Karaf container:

    karaf@root()> logout
  3. Set the environment variables presented when creating the credential store:

    $ export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES
    $ export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI=
    $ export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q==
    $ export CREDENTIAL_STORE_ATTR_location=credential.store
    Important

    You are required to set the CREDENTIAL_STORE_* environment variables before starting the Karaf container.

  4. Start the Karaf container:

    bin/karaf
  5. Add your secrets to the credential store by using credential-store:store:

    karaf@root()> credential-store:store -a javax.net.ssl.keyStorePassword -s "alias is set"
    Value stored in the credential store to reference it use: CS:javax.net.ssl.keyStorePassword
  6. Exit the Karaf container again:

    karaf@root()> logout
  7. Run the Karaf container again specifying the reference to your secret instead of the value:

    $ EXTRA_JAVA_OPTS="-Djavax.net.ssl.keyStorePassword=CS:javax.net.ssl.keyStorePassword" bin/karaf

The value of javax.net.ssl.keyStorePassword when accessed using System::getProperty should contain the string "alias is set".

Note

The EXTRA_JAVA_OPTS is one of the many ways to specify system properties. These system properties are defined at the start of the Karaf container.

Important

When the environment variables are leaked outside of your environment or intended use along with the content of the credential store file, your secretes are compromised. The value of the property when accessed through JMX gets replaced with the string "<sensitive>", but there are many code paths that lead to System::getProperty, for instance diagnostics or monitoring tools might access it along with any 3rd party software for debugging purposes.

Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.