Help needed - PAX.JDBC.POOL - how to encrypt password in Karaf?

[jgebal]

Hi I'm totally new to PAX.JDBC, Jaca and Karaf but I have inherited a Karaf service that I need to maintain. The service is a SOAP data provider that is connecting to a database. The whole thing is developed and deployed from Talend Open Studio ESB into Karaf container as a kar file. The trouble I am facing is that the passwords in the configuration file for the connection pool are stored as plain text.

When trying to encrypt them I face some issues. I cannot really find a working guideline for setting up Jasypt with Karaf and using it with PAX.JDBC.CONFIG for connection pool.

When I put a password encrypted by encrypted by tesb-encryptor-command into the cfc file, the DataSource is not created. There is no errors in the log file.

I am using PAX.JDBC version 1.5.7.

The DEBUG level log when Password is in plain text is: scratch_90.txt

The DEBUG level log when Password is encrypted is: scratch_91.txt

[grgrzybek]

Good luck with Java, OSGi and Karaf - you'll need it ;)

Technically speaking, Pax JDBC can use encrypted properties. The decryption is performed using https://github.com/jasypt/jasypt and you have to encrypt the value yourself. I don't even think there's an easy command line invocation to help here - you need to write some code.

But if you already have an encrypted value, you need decryptor property in org.ops4j.datasource factory configuration (e.g., etc/org.ops4j.datasource-mydatabase.cfg file in Karaf).

This property is an alias to look up an OSGi service with org.jasypt.encryption.StringEncryptor interface. OSGi services are identified using LDAP syntax and the filter is:

(&(objectClass=org.jasypt.encryption.StringEncryptor)(alias=_your-alias-from-decryptor-property_))

So your task is to have some bundle register such service where you can configure an instance of org.jasypt.encryption.StringEncryptor implementation with proper configuration.

In blueprint you can configure such implementation using:

<bean id="encryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
    <property name="config">
        <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
            <property name="algorithm" value="PBEWithMD5AndDES" />
            <property name="passwordSysPropertyName" value="secret-value" />
        </bean>
    </property>
</bean>
<service interface="org.jasypt.encryption.StringEncryptor" ref="encryptor">
    <service-properties>
        <entry key="alias" value="my-decryptor" />
    </service-properties>
</service>

• <bean> defines the bean (you can do it without Blueprint in Java code)
• <service> publishes this bean as OSGi service with org.jasypt.encryption.StringEncryptor with alias service property (you can manually register such service using BlueprintContext API)

Anyway - the application you're going to maintain may already have other methods for service registration (blueprint, scr, BundleContext...) so treat this answer as a hint, not as straightforward recipe...

[jgebal]

Thanks a million @grgrzybek I'll look into that a bit more tomorrow. I have found some guidelines on RedHat pages. https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html/apache_karaf_transaction_guide/using-jdbc-data-sources#using-encrypted-configuration-values https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/html-single/apache_karaf_security_guide/index

There is some mentions of how to use JASYPT here too: https://karaf.apache.org/manual/latest-2.x/developers-guide/security-framework.html

I think I am on track to have that working...

Thanks again!

[grgrzybek]

no problem! good luck ;) you can always find me here.

[jgebal]

@grgrzybek It looks like someone already had similar problem and solved it with this feature: https://github.com/BlackBeltTechnology/karaf-jasypt-support

I have managed to get all of my configuration up and running with that module.

The readme was missing some info for a newbie like me but I got to a working state and so I'm happy about it.

Thank you for your help and feedback.