Securing Configurations

The UltraESB configurations may usually contain security sensitive information such as passwords used for authentication or database access. When deploying in a production environment, it is possible to secure these values from being visible in the configuration using the optional Jasypt library [http://www.jasypt.org/], or the native utility shipped by default with the UltraESB

Using Jasypt

Jasypt uses password based encryption, and generates unique strings even when the same password is encrypted under two scenarios. Use of Jasypt requires a master key, which could be specified as an Environment variable if desired.

You can use encrypt.sh/bat scripts from the bin directory to generate encrypted passwords.

./encrypt.sh -encrypt

USAGE: -encrypt [ARGUMENTS]

  * Arguments must apply to format:

      "arg1=value1 arg2=value2 arg3=value3 ..."

  * Required arguments:

      input

      password

  * Optional arguments:

      verbose

      algorithm

      keyObtentionIterations

      saltGeneratorClassName

      providerName

      providerClassName

      stringOutputType

To store an encrypted password in the configuration, first use the encrypt.sh/bat scripts as follows, and save the encrypted output generated.  As mentioned before, note that the same input will result in different outputs on each execution run. See [http://www.jasypt.org/cli.html] for more information.

$ ./encrypt.sh input='password' password='jasypt' verbose=false algorithm=PBEWithMD5AndDES
Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0

To use the encrypted password, please refer to the standard Jasypt documentation at [http://www.jasyptorg/encrypting-configuration.html] on how Jasypt works with a Spring configuration. For example, we could now place the above encrypted output in the conf/encrypted.properties file as follows.

secure_password=ENC(Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0)

If you need a more stronger password encryption mechanism you may use the Bouncy Castle provider and use strong algorithm pairs such as SHA2 family and AES families. An example of using those strong algorithms with using the BC provider is as follows;

sh bin/encrypt.sh input='password' password='jasypt' verbose=false algorithm=PBEWITHSHA256AND256BITAES-CBC-BC providerName=BC providerClassName=org.bouncycastle.jce.provider.BouncyCastleProvider

Which will encrypt the same above password to be;

secure_password=ENC(buRXqYyQvifIzwEyqxlHHnaG95+5myuRIyiHVNYbyRk=)

To specify this encrypted password to the SSL keystore, we could configure the https transport as follows, and un-comment the Jasypt propertyconfigurer as shown below. In the following example, the master key is specified inline in clear text. But you can tell Jasypt to read the master key from an environment variable (e.g. APP_PASSWORD as shown in the commented text)

Securing Configurations

<bean id="https-8443" class="org.adroitlogic.ultraesb.transport.http.HttpsNIOListener">
    ...
    <property name="identityKeyPassword" value="${secure_password}"/>
    <property name="identityStorePassword" value="${secure_password}"/>
    ...
</bean>
...
<!--
    Uncomment to use Jasypt to secure passwords used on this configuration (e.g. keystore, DB passwords etc)
    e.g. specify the HTTPS identity store password as <property name="identityKeyPassword" value="${secure_password}"/>
    where the default conf/encypted.properties file contains the below encrypted password
    secure_password=ENC(Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0)
-->
<bean id="propertyConfigurer" class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer">
    <constructor-arg>
        <bean class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
            <property name="config">
                <!-- Use this to specify the Jasypt password as an Environment variable (e.g. named APP_PASSWORD)-->
                <!--<bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
                    <property name="algorithm" value="PBEWithMD5AndDES"/>
                    <property name="passwordEnvName" value="APP_PASSWORD"/>
                </bean>-->
                <!--A simple hard coded master password (e.g. "jasypt") for Jasypt-->
                <bean class="org.jasypt.encryption.pbe.config.SimpleStringPBEConfig">
                    <property name="algorithm" value="PBEWithMD5AndDES"/>
                    <property name="password" value="jasypt"/>
                    <!-- Uncomment the following 2 properties if you are using Bouncy Castle provider -->
                    <!--<property name="providerClassName" value="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
                    <property name="providerName" value="BC"/>-->
                </bean>
            </property>
        </bean>
    </constructor-arg>
    <property name="locations">
        <list>
            <value>encrypted.properties</value>
        </list>
    </property>
</bean>

Using the custom encryption utility

The UltraESB distribution includes a custom utility to encrypt passwords for use with the UltraESB, and this follows the same encryption as JBoss AS to secure information. Again the encrypt.sh/bat is used as shown below.

$ ./encrypt.sh -secure mysecretpassword
BIGINT16(242649d246c219535dfc52b51bd35553df8592078de921bc)

The default execution generates an encrypted password compatible with the method used by JBoss AS.

Note
THIS DEFAULT IS NOT A SECURE PASSWORD, AS IT USES A HARD CODED PASSPHRASE

However, for most production uses, this level of protection maybe adequate. Next the value output by the script should be fed into the conf/encrypted.properties as follows.

jasypt_secured_password=ENC(Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0)
simple_secured_password=BIGINT16(5dfc52b51bd35553df8592078de921bc)
salted_secured_password=SALTEDBIGINT16(5dfc52b51bd3555348aab25bcaae358ba6697cc62e0f6fed44eca159f7572afdda48343bf69725f9)

The example above shows three possible variations to secure passwords. The line #1 shows the use of Jasypt, while line #2 shows the default encryption (as per JBoss AS methodology) and line #3 shows the custom encryption with an additional salt.

The configuration snippet shown below should then be uncommented from the ultra-root.xml and customized as desired. Then the configuration could specify "${simple_secured_password}" etc as per the earlier example, and decrypt the actual value at runtime. Be sure to ensure that if the algorithm, password and salted flag are modified, that they correspond to those used in the encryption of the value as well. The "passwordEnvVar" attribute can specify the name of an Environment variable, that could alternatively hold the password or the master key instead of the clear-text "password" attribute

Secure properties

<!--To encrypt the passwords using a rather simple mechanism (the same used in JBoss AS) use the following bean. To
improve the password with a salt, you could set the salted attribute to true, forcing a unique string on each run-->
<bean class="org.adroitlogic.ultraesb.util.encrypt.SecurePropertyManager" init-method="init">
    <!--<property name="salted" value="true"/-->
    <!--<property name="algorithm" value="Blowfish"/-->
    <!--<property name="password" value="masterkey"/-->
    <!--<property name="passwordEnvVar" value="APP_PASSWORD"/-->
    <property name="location">
        <value>encrypted.properties</value>
    </property>
</bean>
$ ./encrypt.sh -secure
Invalid arguments. Execute as follows:
java SecurePropertyManager [-decrypt] <secret> [-p<password>] [-a<algorithm>] [-salted]

By executing the encrypt.sh/bat as above, one could look into the possible options for the custom encryptor. The -p<password> option and -a<algorithm> option could be specified on the command line. The default algorithm is "Blowfish". Optionally, one could use the script to decrypt an encrypted password as well.

Here are some examples showing the various aspects:

$ ./encrypt.sh -secure 'mysecretpassword' -pmasterkey -aBlowfish
BIGINT16(2fbb8ceb5c7f5cda2b7123550ff30b8b92ba1926f9151960)

//$ ./encrypt.sh -secure -decrypt 'BIGINT16(2fbb8ceb5c7f5cda2b7123550ff30b8b92ba1926f9151960)' -pmasterkey -aBlowfish
//mysecretpassword

$ ./encrypt.sh -secure 'mysecretpassword' -salted
SALTEDBIGINT16(242649d246c219535dfc52b51bd3555348aab25bcaae358bd08a8d27eedb49a7b88ea5c909f53a9b3d8806a6de5726fd)

//$ ./encrypt.sh -secure -decrypt 'SALTEDBIGINT16(242649d246c219535dfc52b51bd3555348aab25bcaae358bd08a8d27eedb49a7b88ea5c909f53a9b3d8806a6de5726fd)' -salted
//mysecretpassword
Use of single quotes for input strings
Note that we have surrounded the input strings by single quotes in the above examples. If your inputs doesn’t include any special characters you can use the inputs without the surrounding single quotes but if your inputs do include special characters like '$' or '!' then you have to either surround the inputs with single quotes or escape the special characters in inputs.
In this topic
In this topic
(c) Copyright 2016-2017 AdroitLogic. All rights reserved.
Terms of Use
Contact Us