Encrypt ConfigAdmin properties values in Apache Karaf

Apache Karaf loads all the configuration from etc/*.cfg files by default, using a mix of Felix FileInstall and Felix ConfigAdmin.

These files are regular properties file looking like:

key=value

Some values may be critical, and so not store in plain text. It could be critical business data (credit card number, etc), or technical data (password to different systems, like database for instance).

We want to encrypt such kind of data in the etc/*.cfg files, but being able to use it regulary in the application.

Karaf provides a nice feature for that: jasypt-encryption.

It’s very easy to use especially with Blueprint.

The jasypt-encryption feature is an optional feature, so it means that you have to install it first:

karaf@root()> feature:install jasypt-encryption

This feature provides:

  • jasypt bundle
  • a namespace handler (enc:*) for blueprint

Now, we can create a cfg file containing encrypted value. The encrypted value is “wrapped” in a ENC() function.

For instance, we can create etc/my.cfg file containing:

mydb.url=host:portmydb.username=usernamemydb.password=ENC(zRM7Pb/NiKyCalroBz8CKw==)

In the Blueprint descriptor of our application (like a Camel route Blueprint XML for instance), we use the “regular” cm namespace (to load ConfigAdmin), but we add a Jasypt configuration using the enc namespace.

For instance, the blueprint XML could look like:

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"           xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"           xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0">  <cm:property-placeholder persistent-id="my" update-strategy="reload">    <cm:default-properties>      <cm:property name="mydb.url" value="localhost:9999"/>      <cm:property name="mydb.username" value="sa"/>      <cm:property name="mydb.password" value="ENC(xxxxx)"/>    </cm:default-properties>  </cm:property-placeholder>  <enc:property-placeholder>    <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">      <property name="config">        <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">          <property name="algorithm" value="PBEWithMD5AndDES"/>          <property name="passwordEnvName" value="ENCRYPTION_PASSWORD"/>        </bean>      </property>    </enc:encryptor>  </enc:property-placeholder>  <bean id="dbbean" class="...">    <property name="url" value="${mydb.url}"/>    <property name="username" value="${mydb.username}"/>    <property name="password" value="${mydb.password}"/>  </bean>  <camelContext xmlns="http://camel.apache.org/schemas/blueprint">     <route>        ...        <process ref="dbbean"/>        ...     </route>  </camelContext></blueprint>

It’s also possible to use encryption not in ConfigAdmin, directly loading an “external” properties file using the ext blueprint namespace:

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"           xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"           xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0">  <ext:property-placeholder>    <ext:location>file:etc/db.properties</ext:location>  </ext:property-placeholder>  <enc:property-placeholder>    <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">      <property name="config">        <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">          <property name="algorithm" value="PBEWithMD5AndDES"/>          <property name="passwordEnvName" value="ENCRYPTION_PASSWORD"/>        </bean>      </property>    </enc:encryptor>  </enc:property-placeholder>  ...</blueprint>

where etc/db.properties looks like:

mydb.url=host:portmydb.username=usernamemydb.password=ENC(zRM7Pb/NiKyCalroBz8CKw==)

It’s also possible to use directly the ConfigAdmin in code. In that case, you have to create the Jasypt configuration programmatically:

StandardPBEStringEncryptor enc = new StandardPBEStringEncryptor();EnvironmentStringPBEConfig env = new EnvironmentStringPBEConfig();env.setAlgorithm("PBEWithMD5AndDES");env.setPassword("ENCRYPTION_PASSWORD");enc.setConfig(env);...

Comments

Post a Comment

Popular posts from this blog

Quarkus and "meta" extension

Quarkus is a great Java framework with a large ecosystem thanks to the extensions . Basically, if using Maven, your pom.xml contains the list of the extensions you want to use, meaning something like this: ... <dependency> <groupId>io.quarkus</groupId> <artifactId>quarkus-grpc</artifactId> </dependency> <dependency> <groupId>io.quarkus</groupId> <artifactId>quarkus-opentelemetry</artifactId> </dependency> ... It can quickly become large, and sometime you can have "conflict" between extensions (for example if you mix in the same dependencies set reactive and non reactive extensions). Quarkus "meta" extension To simplify the dependencies for the extensions you want to use (especially if it's basically the same extensions in all your services), you can create your own "meta" extension. This extension doesn't contain actual code, it "wraps" other exten
Read more

Getting started with Apache Karaf Minho

Image
Apache Karaf Minho Apache Karaf Minho is a new runtime, completely created from scratch. The objectives are: super easy to use and run ligtning fast, including GraalVM support Kubernetes compliant to be easily used on the cloud helping to optimize cloud costs by supporting applications colocation providing turnkey services allowing you to create Minho applications in a minute Minho is composed by: minho-boot is the core of Minho. It contains the runtime launcher and the core services (service registry, lifecycle service, configuration service, ...). minho-* services provided additional functionnalities in the runtime. You can use these services to create your own services, it's also where you will find the services managing sepcific kind of applications, allowing colocation. minho-tooling optionally provide convenient tools to create your own runtime. It includes minho-maven-plugin for instance. In this blog post, we will take a quick tour on A
Read more

Apache Karaf Minho and OpenTelemetry

Image
Telemetry is an important part of a software stack, especially on distributed system (where services call each others). OpenTelemetry is a CNCF project coming from OpenTracing and OpenCensus. It provides API to easily instrument your code and tools to collect and export telemetry data (metrics, logs and traces). Before going into how to use OpenTelemetry with Minho, we have to understand some key concepts: Span is a single building block representing an operation or some unit of work that you want to capture. They are capable of standing on their own, referencing (or following) from other spans, storing metadata, tags, etc. Trace is a visualisation of the life of a request (or series of other operations) that is made up of one or more spans. This collection of spans work together to paint a picture of the overall request, allowing you to easily reconstruct what happened within each span, etc. SpanContext is a wrapper of key values pairs that associates a trace to one or mor
Read more