I'm looking for information on where the JVM custom properties are stored and how they are protected. Are they encoded, encrypted, or something else?
In case of traditional WebSphere Application Server they are stored in the server.xml file in the following location (by default) /install_root/profiles/<profile_name>/config/cells/<cellname>/nodes/<nodename>/servers/server1/server.xml
In case of WebSphere Liberty or Open Liberty they are stored in jvm.options file in the server directory /wlp/usr/servers/<servername>
In both cases they are in plain text.
Why would you like to encode/encrypt them?
If you want to store for example database credentials, then you should create datasource and authentication alias. Password in authentication alias can be encoded (xor) or encrypted (aes).
Or use system environment variables to pass them during the runtime and not store in the configuration. You can pass environment variables to docker containers via -e or in Kubernetes via Secrets/ConfigMaps.
Related
I have a .pfx file that I use for communicating with a web service. I load it from classpath in development environment like this:
application.yml
my-config:
certificate: classpath:/certificate/dev/mycertificate.pfx
Service.java
SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_PROTOCOL);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore keystore = KeyStore.getInstance("JKS");
Resource certificateResource = myConfig.getCertificate();
keystore.load(certificateResource.getInputStream(), myConfig.getCertPassword().toCharArray());
certificateResource.getInputStream().close()
keyManagerFactory.init(keystore, myConfig.getCertPassword().toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
requestContext.put(SSL_SOCKET_FACTORY, sslContext.getSocketFactory());
This works fine in development environment. The problem is, I do not want to just push the certificate resource to git repo. Also I cannot put the file inside the server because we use pivotal application service for hosting the app. So is there any way I can securely store the certificate file in the config server or anywhere else?
Thanks.
You could put the cert into Spring Cloud Config Server. If you are using Spring Cloud Services for VMware Tanzu you can follow these instructions and store the value into CredHub through SCS.
Alternatively, you could store encrypted values in a Git backend and SCS will decrypt them for you. See instructions here. You could also store things in Vault, but Vault is not provided by the SCS for VMware Tanzu tile. You'd have to run your own Vault server. Instructions for using Vault. Both of these options, I feel, are a bit more work than using SCS's support for CredHub.
If you are trying to use only OSS Spring Cloud Config, you can do that too, but it's more work, more than I can cover here. That said, all three of these options are available there as well:
CredHub backend w/SCS.
Git + encrypted properties.
Vault backend w/SCS.
Vault and CredHub both have certificate types specifically for storing certificates. I do not believe SCS exposes these options, so you would be just storing the text representation of your certificate.
All of these options assume that you want to use Spring Cloud Config server. If you wanted an option not tied to Spring, you could use the CredHub Service Broker tile. This allows you to store items in CredHub and then present them as bound services. With it, you could create a bound service that represents your certificate, bind that to the apps that require it, and then fetch your certificate from VCAP_SERVICES like any other bound service.
The downside of this approach is that VCAP_SERVICES is an environment variable, so it's storing text only and there are limits to how much information can be stored.
I'm deploying my Spring boot application into Heroku server via git deployment. There are passwords and api secrets in my application.yml. Those properties are encrypted with Jasypt. One thing I don't understand is: how to pass jasypt decryption password into deployed application for startup?
Heroku has Config Vars, but they do not seem secure, considering that all of them could be revealed on the dashboard
Is there a secure way to send a password into deployment?
the Config Vars is the accepted mechanism to pass runtime information to the apps upon deployment;
It is pretty secure if the access to the Dashboard is controlled of course (those settings are never exposed or logged), only the owner can reveal the values.
To make a flow and controller services environment agnostic(So that moving from dev-stage-prod would be easy), I am using variables/Expression language for passwords and usernames. And plan to read them the passwords/usernames from a custom.properties file or in process group variables.
Not very comfortable in typing out the password directly in either. So would like to use some form of encryption and later decrypt it in the needed processors.(Can NIFI decrypt it in memory for all processors?)
Example : If am using a JDBC connection pool and the password for connecting to the DB through controller service be “badPassword”.
In custom.properties file,
my.password.for.JDBC.connection.pool = badPassword
And in the controller service for Password the value would be ${ my.password.for.JDBC.connection.pool }
The same example could be applied for different processors like FTP, SFTP or to invoke http processor where there is a Basic Authorization token.
Is there way to encrypt it and enter the encrypted password in the custom.properties file or in the process group variables and decrypt it in the corresponding processor.
There is an open Jira for this feature, and with the upcoming Apache NiFi Registry effort, the flow versioning will allow for promotion of flows between dev/test/prod environments with referenced variable credentials. At this time, however, the variable registry values (your custom.properties values) cannot be encrypted.
I was wondering how people are handling security aspects when using Spring Cloud Config.
I'm planning to use Spring Cloud Config Server and Client together with Spring Boot. From an implementation point of view this is quite straight, but how do you deal with the risk of disclosing password/access to every developer.
e.g. you run one central configserver containing configurations for all environment. In the bootstrap.yml of the config client app you'll have to configure the username/password to access the configserver. So far so good, but when I know commit the username/password in the respective yml file, then every developer has potential access to all environments by just switching the profile from e.g. development to production (please let's not start a discussion why not every developer needs access to production).
I'm aware that I can encrypt all passwords in the configuration, we do this, but that's not what I'm looking for. Encryption is just a feature to not have the passwords being stored plaintext in the files, but the user does not really need to know the plain password to get access if he has access to the configserver in the first place.
This is also about avoiding mistakes during development... its just to easy to switch the local environment to connect to production or any other environment.
So how are people dealing with this? Do you inject a different bootstrap.yml in development then in other environments? if so how do you administrate/propagate these?
Do you set the password for the configuration user on the comandline?
...?
We use variables and default values for config server URL, user and password
${config_username:user}:${config_password:password}#${config_server:conf.mydomain.com}
Default values can be valid credentials for development environment this way you simply run it while you develop. When you deploy to production simply set those environment variables and your application will connect to a different config server
I was thinking about this myself and came up with 3 options. In all cases, use {cipher} values in repos for sensitive data and disable various actuator endpoints that would allow decryption or property value lists.
Have two config servers, one for dev and one for prod, with no dev access to the prod server, controlled by credentials provided to the prod client at runtime.
Perform the decryption client side, using a secret provided to the prod client at runtime.
Explicitly define a prod profile and block access to URLs containing that profile from non-prod servers.
I have a windows service with an accompanying config file. The service is going to be installed on a bunch of lab computers and monitor things such as diskspace, network connectivity, logins, etc.
After a set interval, it will report the statistics to a Database. In order to connect to the DB, I currently have the application user's name and password stored in the connection string, which can be found in the config file.
What's the best way to secure this, such that regular users cannot access it? We do a similar thing here with our webapps using the Web.config, and we have IIS setup such that people can't browse into the directory and read it.
Is there a best practice to securing a config file stored locally on each machine for a windows service?
Use the same method that you would use for web.config
1- Go to the windows service folder, where configuration file is located
2- Rename the config file to web.config (back it up first)
3- Execute:
c:\Windows\Microsoft.NET\Framework64\[the asp versino]\aspnet_regiis.exe -pef "[name of the config file to encrypt]" .
4- Rename the web.config back to the original name
More info here
https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx