Open bmarwell opened 7 months ago
@bmarwell Are you requesting to specifically create a built in Config Source for JNDI Entries? Or is this a generic enhancement request that any Liberty server.xml Config Source should be able to handle encoded values?
Note that the server.xml docs already state if a value can be encoded. If the docs do not mention encoding then it isn't supported. jndiEntry has a decode
attribute but many others call it out in their description (e.g. containerAuthData password).
@bmarwell Are you requesting to specifically create a built in Config Source for JNDI Entries? Or is this a generic enhancement request that any Liberty server.xml Config Source should be able to handle encoded values?
No, my idea is to make it only mpConfig-related and add it as a mpConfig resource.
create a built in Config Source
... can I create one myself without creating a user feature?
but many others call it out in their description
Maybe there should be an overview page where attributes can be encrypted/encoded/hashed, i.e. which configuration items support this. But that would be another issue and not part of this one, which merely requests to add a built-in mpConfig source.
OK so this issue is going to be for
decode
attribute is true then the value will be decoded before useYes! Here's some more context about the idea.
JNDI variables would solve all of those problems:
Does that make sense? If so, maybe we could make this a blog entry. This is only possible because Eclipse mpConfig was designed to allow different config sources, which is brilliant (in this case).
Let me know whether my assumptions are correct :)
Describe the use case that you want to enable:
Currently, it is not clean whether any configuration source can benefit from the liberty encryption. If this was possible, the secrets could be stored on disk in an encrypted way.
I know JNDI properties can be encrypted, so let's add JNDI to the existing ones:
META-INF/microprofile-config.properties
Source: https://openliberty.io/docs/latest/external-configuration.html
The idea is to add two things:
First idea
e.g.:
Then make it available via:
Example taken from: https://openliberty.io/docs/latest/reference/feature/jndi-1.0.html
second idea
Add a column to https://openliberty.io/docs/latest/external-configuration.html whether values can be stored encrypted or not.
Describe why this is important to you:
Currently, the docs (https://openliberty.io/docs/latest/external-configuration.html) don't mention whether any of those can be stored encrypted (e.g. using
securityUtility encode
).While this is not a sufficient encryption to stop hackers, it is better to not store passwords in plain text anyway. The docs should also link to: https://openliberty.io/docs/latest/password-encryption.html
Additional context
./.