Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-13755

Fuse 7.6 encrypted property placeholder feature does no longer work

XMLWordPrintable

    • QE Approved
    • % %
    • +
    • Fuse Standalone
    • Hide

      Fuse 7.6 document "Apache Karaf Security Guide section 2.3.2. "Using encrypted property placeholders" has very detailed description and step by step instruction for using encrypted property placeholders:
      https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html/apache_karaf_security_guide/esbsecurecontainer#using-encrypted-property-placeholders

      Just follow the instruction and configure encrypted password using encrypted property placeholders on your ldap-module.xml. For instance:

      <?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
        xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
        xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
        xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"
        xsi:schemaLocation="
       http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
       http://camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd">

   <ext:property-placeholder
       placeholder-prefix="$[" placeholder-suffix="]"/>

  <ext:property-placeholder>
    <ext:location>file:///$[karaf.base]/etc/ldap.properties</ext:location>
  </ext:property-placeholder>

  <enc:property-placeholder>
    <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
      <property name="config">
        <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
          <property name="algorithm" value="PBEWITHHMACSHA224ANDAES_256" />
          <property name="passwordEnvName" value="JASYPT_ENCRYPTION_PASSWORD" />
        </bean>
      </property>
    </enc:encryptor>
  </enc:property-placeholder>

    <jaas:config name="karaf" rank="200">
    <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
      debug=true

      <!-- LDAP Configuration -->
      initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
      connection.username=uid=admin,ou=system
      connection.password=${ldap.password}
      connection.protocol=
      connection.url=ldap://localhost:10389
      authentication=simple
      user.base.dn=ou=users,dc=example,dc=com
      user.filter=(uid=%u)
      user.search.subtree=true
      role.base.dn=ou=roles,dc=example,dc=com
      role.name.attribute=cn
      role.filter=(uniqueMember=%fqdn)
      role.search.subtree=true
      role.mapping=amq=admin
     context.com.sun.jndi.ldap.connect.timeout=5000
     context.com.sun.jndi.ldap.read.timeout=20000
     context.com.sun.jndi.ldap.connect.pool=true
    </jaas:module>
  </jaas:config>
</blueprint>

      Encrypting the password on Karaf console:

      karaf@root()> jasypt:encrypt -a PBEWITHHMACSHA224ANDAES_256 -w <MASTER_PASSWORD> "<password string>"
Algorithm used: PBEWITHHMACSHA224ANDAES_256
Encrypted data: zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0=

      And "etc/ldap.properties":

      ldap.password=ENC(zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0=)

      And add the line to "bin/setenv" script:

      export JASYPT_ENCRYPTION_PASSWORD=<master_password_string>
      Show
      Fuse 7.6 document "Apache Karaf Security Guide section 2.3.2. "Using encrypted property placeholders" has very detailed description and step by step instruction for using encrypted property placeholders: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html/apache_karaf_security_guide/esbsecurecontainer#using-encrypted-property-placeholders Just follow the instruction and configure encrypted password using encrypted property placeholders on your ldap-module.xml. For instance: <?xml version= "1.0" encoding= "UTF-8" ?> <blueprint xmlns= "http: //www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:xsi= "http: //www.w3.org/2001/XMLSchema-instance" xmlns:cm= "http: //aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0" xmlns:ext= "http: //aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:jaas= "http: //karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:enc= "http: //karaf.apache.org/xmlns/jasypt/v1.0.0" xsi:schemaLocation=" http: //www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd http: //camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd"> <ext:property-placeholder placeholder-prefix= "$[" placeholder-suffix= "]" /> <ext:property-placeholder> <ext:location>file: ///$[karaf.base]/etc/ldap.properties</ext:location> </ext:property-placeholder> <enc:property-placeholder> <enc:encryptor class= "org.jasypt.encryption.pbe.StandardPBEStringEncryptor" > <property name= "config" > <bean class= "org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig" > <property name= "algorithm" value= "PBEWITHHMACSHA224ANDAES_256" /> <property name= "passwordEnvName" value= "JASYPT_ENCRYPTION_PASSWORD" /> </bean> </property> </enc:encryptor> </enc:property-placeholder> <jaas:config name= "karaf" rank= "200" > <jaas:module className= "org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags= "required" > debug= true <!-- LDAP Configuration --> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=uid=admin,ou=system connection.password=${ldap.password} connection.protocol= connection.url=ldap: //localhost:10389 authentication=simple user.base.dn=ou=users,dc=example,dc=com user.filter=(uid=%u) user.search.subtree= true role.base.dn=ou=roles,dc=example,dc=com role.name.attribute=cn role.filter=(uniqueMember=%fqdn) role.search.subtree= true role.mapping=amq=admin context.com.sun.jndi.ldap.connect.timeout=5000 context.com.sun.jndi.ldap.read.timeout=20000 context.com.sun.jndi.ldap.connect.pool= true </jaas:module> </jaas:config> </blueprint> Encrypting the password on Karaf console: karaf@root()> jasypt:encrypt -a PBEWITHHMACSHA224ANDAES_256 -w <MASTER_PASSWORD> "<password string>" Algorithm used: PBEWITHHMACSHA224ANDAES_256 Encrypted data: zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0= And "etc/ldap.properties": ldap.password=ENC(zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0=) And add the line to "bin/setenv" script: export JASYPT_ENCRYPTION_PASSWORD=<master_password_string>

      Fuse 7.6 document "Apache Karaf Security Guide" chapter 2.3 "How to Use Encrypted Property Placeholders" has very detailed description and step by step instruction for using encrypted property placeholders.

      The feature worked ok on Fuse 7.5 but does no longer work on Fuse 7.6.

      When deploying a ldap-module.xml with encrypted property placeholders to Fuse 7.6, an error was thrown:

      2020-05-06 12:51:41,245 | INFO  | FelixFrameworkWiring | o.a.a.b.c.BlueprintExtender      | 51 - org.apache.aries.blueprint.core - 1.10.2 | Destroying container for blueprint bundle ldap-module.xml/0.0.0
2020-05-06 12:51:41,312 | ERROR | FelixFrameworkWiring | o.a.a.b.c.ServiceRecipe          | 51 - org.apache.aries.blueprint.core - 1.10.2 | Error retrieving service from ServiceRecipe[name='karaf']
org.osgi.service.blueprint.container.ComponentDefinitionException: Unable to convert value BeanRecipe[name='#recipe-134'] to type class java.lang.Object
	at org.apache.aries.blueprint.di.CollectionRecipe.internalCreate(CollectionRecipe.java:92) ~[!/:1.10.2]
...
Caused by: org.osgi.service.blueprint.container.ComponentDefinitionException: org.jasypt.exceptions.EncryptionOperationNotPossibleException
	at org.apache.aries.blueprint.di.ValueRecipe.internalCreate(ValueRecipe.java:64) ~[!/:1.10.2]
	at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:108) ~[!/:1.10.2]
...
Caused by: org.jasypt.exceptions.EncryptionOperationNotPossibleException
	at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1169) ~[?:?]
	at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:738) ~[?:?]
	at org.apache.karaf.jaas.blueprint.jasypt.handler.EncryptablePropertyPlaceholder.getProperty(EncryptablePropertyPlaceholder.java:40) ~[?:?]
...

      The error was caused by the fact that the Jasypt library was unable to decrypt the password in property file.

        1. EncryptionAlgorithmsTest.zip
          37 kB
        2. fuse.log
          326 kB

              ldemasi Luigi De Masi
              rhn-support-qluo Joe Luo
              Vratislav Hais Vratislav Hais (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: