Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-13755

Fuse 7.6 encrypted property placeholder feature does no longer work

XMLWordPrintable

    • QE Approved
    • % %
    • +
    • Fuse Standalone
    • Hide

      Fuse 7.6 document "Apache Karaf Security Guide section 2.3.2. "Using encrypted property placeholders" has very detailed description and step by step instruction for using encrypted property placeholders:
      https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html/apache_karaf_security_guide/esbsecurecontainer#using-encrypted-property-placeholders

      Just follow the instruction and configure encrypted password using encrypted property placeholders on your ldap-module.xml. For instance:

      <?xml version="1.0" encoding="UTF-8"?>
      <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
              xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
              xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
              xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"
              xsi:schemaLocation="
             http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
             http://camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd">
      
         <ext:property-placeholder
             placeholder-prefix="$[" placeholder-suffix="]"/>
      
        <ext:property-placeholder>
          <ext:location>file:///$[karaf.base]/etc/ldap.properties</ext:location>
        </ext:property-placeholder>
      
        <enc:property-placeholder>
          <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
            <property name="config">
              <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
                <property name="algorithm" value="PBEWITHHMACSHA224ANDAES_256" />
                <property name="passwordEnvName" value="JASYPT_ENCRYPTION_PASSWORD" />
              </bean>
            </property>
          </enc:encryptor>
        </enc:property-placeholder>
      
          <jaas:config name="karaf" rank="200">
          <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
            debug=true
      
            <!-- LDAP Configuration -->
            initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
            connection.username=uid=admin,ou=system
            connection.password=${ldap.password}
            connection.protocol=
            connection.url=ldap://localhost:10389
            authentication=simple
            user.base.dn=ou=users,dc=example,dc=com
            user.filter=(uid=%u)
            user.search.subtree=true
            role.base.dn=ou=roles,dc=example,dc=com
            role.name.attribute=cn
            role.filter=(uniqueMember=%fqdn)
            role.search.subtree=true
            role.mapping=amq=admin
           context.com.sun.jndi.ldap.connect.timeout=5000
           context.com.sun.jndi.ldap.read.timeout=20000
           context.com.sun.jndi.ldap.connect.pool=true
          </jaas:module>
        </jaas:config>
      </blueprint>
      

      Encrypting the password on Karaf console:

      karaf@root()> jasypt:encrypt -a PBEWITHHMACSHA224ANDAES_256 -w <MASTER_PASSWORD> "<password string>"
      Algorithm used: PBEWITHHMACSHA224ANDAES_256
      Encrypted data: zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0=
      

      And "etc/ldap.properties":

      ldap.password=ENC(zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0=)
      

      And add the line to "bin/setenv" script:

      export JASYPT_ENCRYPTION_PASSWORD=<master_password_string>
      
      Show
      Fuse 7.6 document "Apache Karaf Security Guide section 2.3.2. "Using encrypted property placeholders" has very detailed description and step by step instruction for using encrypted property placeholders: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html/apache_karaf_security_guide/esbsecurecontainer#using-encrypted-property-placeholders Just follow the instruction and configure encrypted password using encrypted property placeholders on your ldap-module.xml. For instance: <?xml version= "1.0" encoding= "UTF-8" ?> <blueprint xmlns= "http: //www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:xsi= "http: //www.w3.org/2001/XMLSchema-instance" xmlns:cm= "http: //aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0" xmlns:ext= "http: //aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0" xmlns:jaas= "http: //karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:enc= "http: //karaf.apache.org/xmlns/jasypt/v1.0.0" xsi:schemaLocation=" http: //www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd http: //camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd"> <ext:property-placeholder placeholder-prefix= "$[" placeholder-suffix= "]" /> <ext:property-placeholder> <ext:location>file: ///$[karaf.base]/etc/ldap.properties</ext:location> </ext:property-placeholder> <enc:property-placeholder> <enc:encryptor class= "org.jasypt.encryption.pbe.StandardPBEStringEncryptor" > <property name= "config" > <bean class= "org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig" > <property name= "algorithm" value= "PBEWITHHMACSHA224ANDAES_256" /> <property name= "passwordEnvName" value= "JASYPT_ENCRYPTION_PASSWORD" /> </bean> </property> </enc:encryptor> </enc:property-placeholder> <jaas:config name= "karaf" rank= "200" > <jaas:module className= "org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags= "required" > debug= true <!-- LDAP Configuration --> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=uid=admin,ou=system connection.password=${ldap.password} connection.protocol= connection.url=ldap: //localhost:10389 authentication=simple user.base.dn=ou=users,dc=example,dc=com user.filter=(uid=%u) user.search.subtree= true role.base.dn=ou=roles,dc=example,dc=com role.name.attribute=cn role.filter=(uniqueMember=%fqdn) role.search.subtree= true role.mapping=amq=admin context.com.sun.jndi.ldap.connect.timeout=5000 context.com.sun.jndi.ldap.read.timeout=20000 context.com.sun.jndi.ldap.connect.pool= true </jaas:module> </jaas:config> </blueprint> Encrypting the password on Karaf console: karaf@root()> jasypt:encrypt -a PBEWITHHMACSHA224ANDAES_256 -w <MASTER_PASSWORD> "<password string>" Algorithm used: PBEWITHHMACSHA224ANDAES_256 Encrypted data: zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0= And "etc/ldap.properties": ldap.password=ENC(zf0FX8OTMSNKVgX9yrvlbp9xNChSOYXxKTY5mLE7Us0=) And add the line to "bin/setenv" script: export JASYPT_ENCRYPTION_PASSWORD=<master_password_string>

      Fuse 7.6 document "Apache Karaf Security Guide" chapter 2.3 "How to Use Encrypted Property Placeholders" has very detailed description and step by step instruction for using encrypted property placeholders.

      The feature worked ok on Fuse 7.5 but does no longer work on Fuse 7.6.

      When deploying a ldap-module.xml with encrypted property placeholders to Fuse 7.6, an error was thrown:

      2020-05-06 12:51:41,245 | INFO  | FelixFrameworkWiring | o.a.a.b.c.BlueprintExtender      | 51 - org.apache.aries.blueprint.core - 1.10.2 | Destroying container for blueprint bundle ldap-module.xml/0.0.0
      2020-05-06 12:51:41,312 | ERROR | FelixFrameworkWiring | o.a.a.b.c.ServiceRecipe          | 51 - org.apache.aries.blueprint.core - 1.10.2 | Error retrieving service from ServiceRecipe[name='karaf']
      org.osgi.service.blueprint.container.ComponentDefinitionException: Unable to convert value BeanRecipe[name='#recipe-134'] to type class java.lang.Object
      	at org.apache.aries.blueprint.di.CollectionRecipe.internalCreate(CollectionRecipe.java:92) ~[!/:1.10.2]
      ...
      Caused by: org.osgi.service.blueprint.container.ComponentDefinitionException: org.jasypt.exceptions.EncryptionOperationNotPossibleException
      	at org.apache.aries.blueprint.di.ValueRecipe.internalCreate(ValueRecipe.java:64) ~[!/:1.10.2]
      	at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:108) ~[!/:1.10.2]
      ...
      Caused by: org.jasypt.exceptions.EncryptionOperationNotPossibleException
      	at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1169) ~[?:?]
      	at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:738) ~[?:?]
      	at org.apache.karaf.jaas.blueprint.jasypt.handler.EncryptablePropertyPlaceholder.getProperty(EncryptablePropertyPlaceholder.java:40) ~[?:?]
      ...
      

      The error was caused by the fact that the Jasypt library was unable to decrypt the password in property file.

        1. fuse.log
          326 kB
          Vratislav Hais

              ldemasi Luigi De Masi
              rhn-support-qluo Joe Luo
              Vratislav Hais Vratislav Hais (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: