Using encrypted properties from cm:property-placeholder broken for <jaas:keystore> configuration

Solution In Progress - Updated -

Issue

Using encrypted properties with <cm:property-placeholder> and <enc:property-placeholder> when setting up <jaas:keystore> elements is broken in JBoss Fuse 6.1.1 and JBoss A-MQ 6.1.1. The technique had been tested and working since JBoss Fuse 6.0.0, including testing with JBoss Fuse 6.1.0 both before and after Rollup 2 and Rollup 2 Patch 3 paches were applied.

The technique defined in
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.1/html/Security_Guide/FMQSecurityJmxSSL.html works well, but results in plain text passwords for the keystore and truststore being stored in the [fuse_install]/etc directory. By combining <cm:property-placeholder> (with update-strategy="reload") from https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.1/html/Deploying_into_the_Container/DeployCamel-OsgiConfigProps.html to get property placeholders which reload upon configuration file changes and <enc:property-placeholder> from https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.1/html/Security_Guide/FMQSecurityEncryptProperties.html, we have previously been able to use encrypted properties in a configuration file to provide the passwords to the <jaas:keystore> (and <jaas:config> for LDAP <jaas:module> configuration) to work in JBoss Fuse 6.1.0.

We create the [fuse_install]/etc/org.apache.felix.fileinstall-security.cfg file with the contents:

felix.fileinstall.dir    = ${karaf.base}/etc
felix.fileinstall.filter = security\\.xml
felix.fileinstall.poll   = 1000
felix.fileinstall.noInitialDelay = true
felix.fileinstall.log.level = 3
felix.fileinstall.start.level = 25

Then we create the [fuse_install]/etc/security.xml file with the contents:

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
           xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"
           xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"
           xsi:schemaLocation="
       http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
       http://camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd">

    <!-- OSGI blueprint property placeholder -->
    <cm:property-placeholder id="securityProps" persistent-id="org.jboss.fuse.samples.security" update-strategy="reload">
        <cm:default-properties>
            <cm:property name="local.keystore.uri" value="file:etc/junk.ks" />
            <cm:property name="local.keystore.password" value="junk" />
            <cm:property name="local.keystore.keypass" value="junk" />
            <cm:property name="local.truststore.uri" value="file:etc/junk.ts" />
            <cm:property name="local.truststore.password" value="junk" />
            <cm:property name="local.truststore.keypass" value="junk" />
        </cm:default-properties>
    </cm:property-placeholder>

    <!-- define the property placeholder decryption component -->
    <enc:property-placeholder>
        <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
            <property name="config">
                <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
                    <property name="algorithm" value="PBEWithMD5AndDES" />
                    <property name="passwordEnvName" value="FUSE_ENCRYPTION_PASSWORD" />
                </bean>
            </property>
        </enc:encryptor>
    </enc:property-placeholder>

    <jaas:keystore name="local_keystore" path="${local.keystore.uri}" 
                   keystorePassword="${local.keystore.password}" keyPasswords="${local.keystore.keypass}" />
    <jaas:keystore name="local_truststore" path="${local.truststore.uri}" 
                   keystorePassword="${local.truststore.password}" keyPasswords="${local.truststore.keypass}" />

</blueprint>

Next we drop our keystore and truststore files into [fuse_install]/etc and create the [fuse]/etc/org.jboss.fuse.samples.security.cfg with with appropriate entires for the keystore and truststore file location/names and passwords.

Finally, we define the FUSE_ENCRYPTION_PASSWORD and update the [fuse_install]/etc/org.apache.karaf.management.cfg file to reference the <jaas:keystore> entries

# Enable SSL
secured = true
secureProtocol = TLSv1
secureAlgorithm = default
keyStore = local_keystore
trustStore = local_truststore
keyAlias = ...appropriate-host-name-goes-here...
clientAuth = false

As of JBoss Fuse 6.1.1 this is failing, and the management server bundle fails to locate the local_keystore.

Environment

  • JBoss Fuse
    • 6.1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content