OpenLiberty / open-liberty

Open Liberty is a highly composable, fast to start, dynamic application server runtime environment
https://openliberty.io
Eclipse Public License 2.0
1.15k stars 592 forks source link

SVT: Harden security of custom AES key : avoid clear text #29619

Open mtamboli opened 2 months ago

mtamboli commented 2 months ago

Describe the bug
A clear and concise description of what the bug is.

Currently, Liberty allows adding custom AES encryption key by including this config in server.xml. It is admin's responsibility to protect this file on the file system. But it would be good to have some way to protect this key instead of clear text. At minimum base 64 encoding the clear text. I tried and it does not seem like that Liberty is able to handle the encoded key, it seems to take this as literal key.

This is how we define the key and include this file in server.xml:

more /opt/ibm/wlp/output/defaultServer/resources/liberty-operator/encryptionKey.xml
<?xml version="1.0" encoding="UTF-8"?>
<server>
    <variable name="wlp.password.encryption.key" value="svtmstkey" />
</server>

I tried to encode the above key and replace the encoded key:

  1. Encode AES key:

/root/liberty/ee11/wlp/bin/securityUtility encode svtmstkey {xor}LCkrMiwrNDom

  1. Update key with encoded key
more /opt/ibm/wlp/output/defaultServer/resources/liberty-operator/encryptionKey.xml
<?xml version="1.0" encoding="UTF-8"?>
<server>
    <variable name="wlp.password.encryption.key" value="{xor}LCkrMiwrNDom
" />
</server>

Result of this, there are exceptions and It is not able to handle the DB2 authentication passwords encrypted with svtmstkey

If there is a stack trace, please include the FULL stack trace (without any [internal classes] lines in it). To find the full stack trace, you may need to check in $WLP_OUTPUT_DIR/messages.log

Steps to Reproduce
Steps to reproduce the bug

Steps described above.

Expected behavior
A clear and concise description of what you expected to happen.

Diagnostic information:

Liberty version 24.0.0.8 Eclipse OpenJ9 VM, version 17.0.8.1+1 (en_US)

Additional context
Add any other context about the problem here.

AESDecryptionError.log

mtamboli commented 2 months ago

@arkarkala @nstewart0206 @leochr

Zech-Hein commented 1 month ago

Hi Monica, thank you for raising this. I agree, I think there is value in allowing the encryption key value to be encoded. I will raise this as part of an upcoming feature.