Language and Page Formatting Options
Chapter 8. Fuse Credential Store
Fuse Credential Store feature allows to include passwords and other sensitive strings as masked strings. These strings are resolved from an JBoss EAP Elytron Credential store .
The Credential store has built-in support for OSGI environment, specifically for Apache Karaf and for Java system properties.
You might have specified passwords, for example
javax.net.ssl.keyStorePassword, as system properties in clear text this project allows you to specify these values as references to a credential store.
Fuse Credential Store allows to specify the sensitive strings as references to a value stored in Credential Store. The clear text value is replaced with an alias reference, for example
CS:alias referencing the value stored under the
alias in a configured Credential Store.
CS:alias should be followed. The
CS: in the Java System property value is a prefix and
alias following it will be used for looking up the value.
- The Karaf container is running.
8.3. Setup Fuse Credential Store on Karaf
Create a credential store using
karaf@root()> credential-store:create -a location=credential.store -k password="my password" -k algorithm=masked-MD5-DES In order to use this credential store set the following environment variables Variable | Value ------------------------------------------------------------------------------------------------------------------------ CREDENTIAL_STORE_PROTECTION_ALGORITHM | masked-MD5-DES CREDENTIAL_STORE_PROTECTION_PARAMS | MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI= CREDENTIAL_STORE_PROTECTION | Sf6sYy7gNpygs311zcQh8Q== CREDENTIAL_STORE_ATTR_location | credential.store Or simply use this: export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI= export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q== export CREDENTIAL_STORE_ATTR_location=credential.store
This should the file
credential.storewhich is a JCEKS KeyStore for storing the secrets.
Exit the Karaf container:
Set the environment variables presented when creating the credential store:
$ export CREDENTIAL_STORE_PROTECTION_ALGORITHM=masked-MD5-DES $ export CREDENTIAL_STORE_PROTECTION_PARAMS=MDkEKXNvbWVhcmJpdHJhcnljcmF6eXN0cmluZ3RoYXRkb2Vzbm90bWF0dGVyAgID6AQIsUOEqvog6XI= $ export CREDENTIAL_STORE_PROTECTION=Sf6sYy7gNpygs311zcQh8Q== $ export CREDENTIAL_STORE_ATTR_location=credential.storeImportant
You are required to set the
CREDENTIAL_STORE_*environment variables before starting the Karaf container.
Start the Karaf container:
Add your secrets to the credential store by using
karaf@root()> credential-store:store -a javax.net.ssl.keyStorePassword -s "alias is set" Value stored in the credential store to reference it use: CS:javax.net.ssl.keyStorePassword
Exit the Karaf container again:
Run the Karaf container again specifying the reference to your secret instead of the value:
$ EXTRA_JAVA_OPTS="-Djavax.net.ssl.keyStorePassword=CS:javax.net.ssl.keyStorePassword" bin/karaf
The value of
javax.net.ssl.keyStorePassword when accessed using
System::getProperty should contain the string
"alias is set".
EXTRA_JAVA_OPTS is one of the many ways to specify system properties. These system properties are defined at the start of the Karaf container.
When the environment variables are leaked outside of your environment or intended use along with the content of the credential store file, your secretes are compromised. The value of the property when accessed through JMX gets replaced with the string
"<sensitive>", but there are many code paths that lead to
System::getProperty, for instance diagnostics or monitoring tools might access it along with any 3rd party software for debugging purposes.