Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-13755

Fuse 7.6 encrypted property placeholder feature does no longer work

    XMLWordPrintable

Details

    • QE Approved
    • % %
    • +
    • Fuse Standalone
    • Hide

      Fuse 7.6 document "Apache Karaf Security Guide section 2.3.2. "Using encrypted property placeholders" has very detailed description and step by step instruction for using encrypted property placeholders:
      https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html/apache_karaf_security_guide/esbsecurecontainer#using-encrypted-property-placeholders

      Just follow the instruction and configure encrypted password using encrypted property placeholders on your ldap-module.xml. For instance:

      <?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
        xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
        xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
        xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"
        xsi:schemaLocation="
       http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
       http://camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd">

   <ext:property-placeholder
       placeholder-prefix="$[" placeholder-suffix="]"/>

  <ext:property-placeholder>
    <ext:location>file:///$[karaf.base]/etc/ldap.properties</ext:location>
  </ext:property-placeholder>

  <enc:property-placeholder>
    <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
      <property name="config">
        <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
          <property name="algorithm" value="PBEWITHHMACSHA224ANDAES_256" />
          <property name="passwordEnvName" value="JASYPT_ENCRYPTION_PASSWORD" />
        </bean>
      </property>
    </enc:encryptor>
  </enc:property-placeholder>

    <jaas:config name="karaf" rank="200">
    <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
      debug=true

      <!-- LDAP Configuration -->
      initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
      connection.username=uid=admin,ou=system
      connection.password=${ldap.password}
      connection.protocol=
      connection.url=ldap://localhost:10389
      authentication=simple
      user.base.dn=ou=users,dc=example,dc=com
      user.filter=(uid=%u)
      user.search.subtree=true
      role.base.dn=ou=roles,dc=example,dc=com
      role.name.attribute=cn
      role.filter=(uniqueMember=%fqdn)
      role.search.subtree=true
      role.mapping=amq=admin
     context.com.sun.jndi.ldap.connect.timeout=5000
     context.com.sun.jndi.ldap.read.timeout=20000
     context.com.sun.jndi.ldap.connect.pool=true
    </jaas:module>
  </jaas:config>
</blueprint>

      Encrypting the password on Karaf console:

      karaf@root()> jasypt:encrypt -a PBEWITHHMACSHA224ANDAES_256 -w <MASTER_PASSWORD> "<password string>"
Algorithm used: PBEWITHHMACSHA224ANDAES_256
Encrypted data: zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0=

      And "etc/ldap.properties":

      ldap.password=ENC(zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0=)

      And add the line to "bin/setenv" script:

      export JASYPT_ENCRYPTION_PASSWORD=<master_password_string>
      Show
      Fuse 7.6 document "Apache Karaf Security Guide section 2.3.2. "Using encrypted property placeholders" has very detailed description and step by step instruction for using encrypted property placeholders: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html/apache_karaf_security_guide/esbsecurecontainer#using-encrypted-property-placeholders Just follow the instruction and configure encrypted password using encrypted property placeholders on your ldap-module.xml. For instance: <?xml version= "1.0" encoding= "UTF-8" ?> <blueprint xmlns= "http: //www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:xsi= "http: //www.w3.org/2001/XMLSchema-instance" xmlns:cm= "http: //aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0" xmlns:ext= "http: //aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:jaas= "http: //karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:enc= "http: //karaf.apache.org/xmlns/jasypt/v1.0.0" xsi:schemaLocation=" http: //www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd http: //camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd"> <ext:property-placeholder placeholder-prefix= "$[" placeholder-suffix= "]" /> <ext:property-placeholder> <ext:location>file: ///$[karaf.base]/etc/ldap.properties</ext:location> </ext:property-placeholder> <enc:property-placeholder> <enc:encryptor class= "org.jasypt.encryption.pbe.StandardPBEStringEncryptor" > <property name= "config" > <bean class= "org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig" > <property name= "algorithm" value= "PBEWITHHMACSHA224ANDAES_256" /> <property name= "passwordEnvName" value= "JASYPT_ENCRYPTION_PASSWORD" /> </bean> </property> </enc:encryptor> </enc:property-placeholder> <jaas:config name= "karaf" rank= "200" > <jaas:module className= "org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags= "required" > debug= true <!-- LDAP Configuration --> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=uid=admin,ou=system connection.password=${ldap.password} connection.protocol= connection.url=ldap: //localhost:10389 authentication=simple user.base.dn=ou=users,dc=example,dc=com user.filter=(uid=%u) user.search.subtree= true role.base.dn=ou=roles,dc=example,dc=com role.name.attribute=cn role.filter=(uniqueMember=%fqdn) role.search.subtree= true role.mapping=amq=admin context.com.sun.jndi.ldap.connect.timeout=5000 context.com.sun.jndi.ldap.read.timeout=20000 context.com.sun.jndi.ldap.connect.pool= true </jaas:module> </jaas:config> </blueprint> Encrypting the password on Karaf console: karaf@root()> jasypt:encrypt -a PBEWITHHMACSHA224ANDAES_256 -w <MASTER_PASSWORD> "<password string>" Algorithm used: PBEWITHHMACSHA224ANDAES_256 Encrypted data: zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0= And "etc/ldap.properties": ldap.password=ENC(zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0=) And add the line to "bin/setenv" script: export JASYPT_ENCRYPTION_PASSWORD=<master_password_string>

    Description

      Fuse 7.6 document "Apache Karaf Security Guide" chapter 2.3 "How to Use Encrypted Property Placeholders" has very detailed description and step by step instruction for using encrypted property placeholders.

      The feature worked ok on Fuse 7.5 but does no longer work on Fuse 7.6.

      When deploying a ldap-module.xml with encrypted property placeholders to Fuse 7.6, an error was thrown:

      2020-05-06 12:51:41,245 | INFO  | FelixFrameworkWiring | o.a.a.b.c.BlueprintExtender      | 51 - org.apache.aries.blueprint.core - 1.10.2 | Destroying container for blueprint bundle ldap-module.xml/0.0.0
2020-05-06 12:51:41,312 | ERROR | FelixFrameworkWiring | o.a.a.b.c.ServiceRecipe          | 51 - org.apache.aries.blueprint.core - 1.10.2 | Error retrieving service from ServiceRecipe[name='karaf']
org.osgi.service.blueprint.container.ComponentDefinitionException: Unable to convert value BeanRecipe[name='#recipe-134'] to type class java.lang.Object
	at org.apache.aries.blueprint.di.CollectionRecipe.internalCreate(CollectionRecipe.java:92) ~[!/:1.10.2]
...
Caused by: org.osgi.service.blueprint.container.ComponentDefinitionException: org.jasypt.exceptions.EncryptionOperationNotPossibleException
	at org.apache.aries.blueprint.di.ValueRecipe.internalCreate(ValueRecipe.java:64) ~[!/:1.10.2]
	at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:108) ~[!/:1.10.2]
...
Caused by: org.jasypt.exceptions.EncryptionOperationNotPossibleException
	at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1169) ~[?:?]
	at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:738) ~[?:?]
	at org.apache.karaf.jaas.blueprint.jasypt.handler.EncryptablePropertyPlaceholder.getProperty(EncryptablePropertyPlaceholder.java:40) ~[?:?]
...

      The error was caused by the fact that the Jasypt library was unable to decrypt the password in property file.

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-12958 PBEWITHHMACSHAANDAES algorithms are not working using jasypt-encryption feature

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Done

          Activity

            People

              ldemasi Luigi De Masi
              rhn-support-qluo Joe Luo
              Vratislav Hais Vratislav Hais (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: