When securing a container it is undesirable to use plain text passwords in configuration files. They create easy to target security holes. One way to avoid this problem is to use encrypted property placeholders when ever possible.
Fuse ESB Enterprise includes an extension to OSGi Blueprint that enables you to use Jasypt to decrypt property placeholders in blueprint files. It requires that you:
Create a properties file with encrypted values.
Add the proper namespaces to your blueprint file.
Import the properties using the Aries property placeholder extension.
Configure the Jasypt encryption algorithm.
Use the placeholders in your blueprint file.
Ensure that the Jasypt features are installed into the Fuse ESB Enterprise container.
Encrypted properties are stored in plain properties files. They are identified by
wrapping them in the ENC() function as shown in
Example 8.
Example 8. Property File with an Encrypted Property
#ldap.properties ldap.password=ENC(amIsvdqno9iSwnd7kAlLYQ==) ldap.url=ldap://192.168.1.74:10389
![[Important]](imagesdb/important.gif) | Important |
|---|---|
You will need to remember the password and algorithm used to encrypt the values. You will need this information to configure Jasypt. |
To use encryted properties in your configuration, you will need to add the following namespaces to your blueprint file:
Aries extensions—
http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0Apache Karaf Jasypt—
http://karaf.apache.org/xmlns/jasypt/v1.0.0
Example 9 shows a blueprint file with the required namespaces.
Example 9. Encrypted Property Namespaces
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"> ... </blueprint>
In order to use encrypted property placeholders in a blueprint file you need to include
an Aries property-paceholder element to you blueprint file. As shown in
Example 10, it must come before the Jasypt
configuration or the use of placeholders.
Example 10. Aries Placeholder Extension
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"> <ext:property-placeholder> <ext:location>file:etc/ldap.properties</ext:location> </ext:property-placeholder> ... </blueprint>
The Aries property-placeholder element's ext:location child specifies the location of the property file that contains the
properties to use for the configuration. You can specify multiple files by using multiple ext:location children.
You configure Jasypt using the Apache Karaf property-placeholder
element. It has one child, encoder, that contains the actual
Jasypt configuration.
The encoder element's mandatory
class attribute specifies the fully qualified classname of the
Jasypt encryptor to use for decrypting the properties. The
encoder element can take a property
child that defines a Jasypt PBEConfig bean for configuring the
encryptor.
For detailed information on how to configure the different Jasypt encryptors, see the Jasypt documentation.
Example 11 shows configuration for using the string encryptor and retrieving the password from an environment variable.
Example 11. Jasypt Blueprint Configuration
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"> <ext:property-placeholder> <ext:location>file://ldap.properties</ext:location> </ext:property-placeholder> <enc:property-placeholder> <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> <property name="config"> <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"> <property name="algorithm" value="PBEWithMD5AndDES" /> <property name="passwordEnvName" value="FUSE_ENCRYPTION_PASSWORD" /> </bean> </property> </enc:encryptor> </enc:property-placeholder> ... </blueprint>
The placeholder you use for encrypted properties are the same as you use for regular
properties. The use the form ${.prop.name}
Example 12 shows an LDAP JAAS realm that uses the properties file in Example 8.
Example 12. Jasypt Blueprint Configuration
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"> <ext:property-placeholder> <ext:location>file://ldap.properties</ext:location> </ext:property-placeholder> <enc:property-placeholder> <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> <property name="config"> <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"> <property name="algorithm" value="PBEWithMD5AndDES" /> <property name="passwordEnvName" value="FUSE_ENCRYPTION_PASSWORD" /> </bean> </property> </enc:encryptor> </enc:property-placeholder> <jaas:config name="karaf" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory debug=true connectionURL=${ldap.url} connectionUsername=cn=mqbroker,ou=Services,ou=system,dc=fusesource,dc=com connectionPassword=${ldap.password} connectionProtocol= authentication=simple userRoleName=cn userBase = ou=User,ou=ActiveMQ,ou=system,dc=fusesource,dc=com userSearchMatching=(uid={0}) userSearchSubtree=true roleBase = ou=Group,ou=ActiveMQ,ou=system,dc=fusesource,dc=com roleName=cn roleSearchMatching= (member:=uid={1}) roleSearchSubtree=true </jaas:module> </jaas:config> </blueprint>
The ${ldap.password} placeholder will be replaced with the decrypted value
of the ldap.password property from the properties file.
By default, Fuse ESB Enterprise does not have the Jasypt encryption libraries installed. In order
to use encrypted property placeholders, you will need to install the
jasypt-encryption feature using Fuse ESB Enterprise's
features:install command as shown in
Example 13.
 |  |  |
 |
