Open jgebal opened 1 month ago
Good luck with Java, OSGi and Karaf - you'll need it ;)
Technically speaking, Pax JDBC can use encrypted properties. The decryption is performed using https://github.com/jasypt/jasypt and you have to encrypt the value yourself. I don't even think there's an easy command line invocation to help here - you need to write some code.
But if you already have an encrypted value, you need decryptor
property in org.ops4j.datasource
factory configuration (e.g., etc/org.ops4j.datasource-mydatabase.cfg
file in Karaf).
This property is an alias to look up an OSGi service with org.jasypt.encryption.StringEncryptor
interface. OSGi services are identified using LDAP syntax and the filter is:
(&(objectClass=org.jasypt.encryption.StringEncryptor)(alias=_your-alias-from-decryptor-property_))
So your task is to have some bundle register such service where you can configure an instance of org.jasypt.encryption.StringEncryptor
implementation with proper configuration.
In blueprint you can configure such implementation using:
<bean id="encryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="config">
<bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
<property name="algorithm" value="PBEWithMD5AndDES" />
<property name="passwordSysPropertyName" value="secret-value" />
</bean>
</property>
</bean>
<service interface="org.jasypt.encryption.StringEncryptor" ref="encryptor">
<service-properties>
<entry key="alias" value="my-decryptor" />
</service-properties>
</service>
<bean>
defines the bean (you can do it without Blueprint in Java code)<service>
publishes this bean as OSGi service with org.jasypt.encryption.StringEncryptor
with alias
service property (you can manually register such service using BlueprintContext API)Anyway - the application you're going to maintain may already have other methods for service registration (blueprint, scr, BundleContext...) so treat this answer as a hint, not as straightforward recipe...
Thanks a million @grgrzybek I'll look into that a bit more tomorrow. I have found some guidelines on RedHat pages. https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html/apache_karaf_transaction_guide/using-jdbc-data-sources#using-encrypted-configuration-values https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html-single/apache_karaf_security_guide/index
There is some mentions of how to use JASYPT here too: https://karaf.apache.org/manual/latest-2.x/developers-guide/security-framework.html
I think I am on track to have that working...
Thanks again!
no problem! good luck ;) you can always find me here.
@grgrzybek It looks like someone already had similar problem and solved it with this feature: https://github.com/BlackBeltTechnology/karaf-jasypt-support
I have managed to get all of my configuration up and running with that module.
The readme was missing some info for a newbie like me but I got to a working state and so I'm happy about it.
Thank you for your help and feedback.
Hi I'm totally new to PAX.JDBC, Jaca and Karaf but I have inherited a Karaf service that I need to maintain. The service is a SOAP data provider that is connecting to a database. The whole thing is developed and deployed from Talend Open Studio ESB into Karaf container as a kar file. The trouble I am facing is that the passwords in the configuration file for the connection pool are stored as plain text.
When trying to encrypt them I face some issues. I cannot really find a working guideline for setting up Jasypt with Karaf and using it with PAX.JDBC.CONFIG for connection pool.
When I put a password encrypted by encrypted by tesb-encryptor-command into the cfc file, the DataSource is not created. There is no errors in the log file.
I am using PAX.JDBC version 1.5.7.
The DEBUG level log when Password is in plain text is: scratch_90.txt
The DEBUG level log when Password is encrypted is: scratch_91.txt