I was wondering how people are handling security aspects when using Spring Cloud Config.
I'm planning to use Spring Cloud Config Server and Client together with Spring Boot. From an implementation point of view this is quite straight, but how do you deal with the risk of disclosing password/access to every developer.
e.g. you run one central configserver containing configurations for all environment. In the bootstrap.yml of the config client app you'll have to configure the username/password to access the configserver. So far so good, but when I know commit the username/password in the respective yml file, then every developer has potential access to all environments by just switching the profile from e.g. development to production (please let's not start a discussion why not every developer needs access to production).
I'm aware that I can encrypt all passwords in the configuration, we do this, but that's not what I'm looking for. Encryption is just a feature to not have the passwords being stored plaintext in the files, but the user does not really need to know the plain password to get access if he has access to the configserver in the first place.
This is also about avoiding mistakes during development... its just to easy to switch the local environment to connect to production or any other environment.
So how are people dealing with this? Do you inject a different bootstrap.yml in development then in other environments? if so how do you administrate/propagate these?
Do you set the password for the configuration user on the comandline?
...?
We use variables and default values for config server URL, user and password
${config_username:user}:${config_password:password}#${config_server:conf.mydomain.com}
Default values can be valid credentials for development environment this way you simply run it while you develop. When you deploy to production simply set those environment variables and your application will connect to a different config server
I was thinking about this myself and came up with 3 options. In all cases, use {cipher} values in repos for sensitive data and disable various actuator endpoints that would allow decryption or property value lists.
Have two config servers, one for dev and one for prod, with no dev access to the prod server, controlled by credentials provided to the prod client at runtime.
Perform the decryption client side, using a secret provided to the prod client at runtime.
Explicitly define a prod profile and block access to URLs containing that profile from non-prod servers.
Related
I have a .pfx file that I use for communicating with a web service. I load it from classpath in development environment like this:
application.yml
my-config:
certificate: classpath:/certificate/dev/mycertificate.pfx
Service.java
SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_PROTOCOL);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore keystore = KeyStore.getInstance("JKS");
Resource certificateResource = myConfig.getCertificate();
keystore.load(certificateResource.getInputStream(), myConfig.getCertPassword().toCharArray());
certificateResource.getInputStream().close()
keyManagerFactory.init(keystore, myConfig.getCertPassword().toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
requestContext.put(SSL_SOCKET_FACTORY, sslContext.getSocketFactory());
This works fine in development environment. The problem is, I do not want to just push the certificate resource to git repo. Also I cannot put the file inside the server because we use pivotal application service for hosting the app. So is there any way I can securely store the certificate file in the config server or anywhere else?
Thanks.
You could put the cert into Spring Cloud Config Server. If you are using Spring Cloud Services for VMware Tanzu you can follow these instructions and store the value into CredHub through SCS.
Alternatively, you could store encrypted values in a Git backend and SCS will decrypt them for you. See instructions here. You could also store things in Vault, but Vault is not provided by the SCS for VMware Tanzu tile. You'd have to run your own Vault server. Instructions for using Vault. Both of these options, I feel, are a bit more work than using SCS's support for CredHub.
If you are trying to use only OSS Spring Cloud Config, you can do that too, but it's more work, more than I can cover here. That said, all three of these options are available there as well:
CredHub backend w/SCS.
Git + encrypted properties.
Vault backend w/SCS.
Vault and CredHub both have certificate types specifically for storing certificates. I do not believe SCS exposes these options, so you would be just storing the text representation of your certificate.
All of these options assume that you want to use Spring Cloud Config server. If you wanted an option not tied to Spring, you could use the CredHub Service Broker tile. This allows you to store items in CredHub and then present them as bound services. With it, you could create a bound service that represents your certificate, bind that to the apps that require it, and then fetch your certificate from VCAP_SERVICES like any other bound service.
The downside of this approach is that VCAP_SERVICES is an environment variable, so it's storing text only and there are limits to how much information can be stored.
I'm deploying my Spring boot application into Heroku server via git deployment. There are passwords and api secrets in my application.yml. Those properties are encrypted with Jasypt. One thing I don't understand is: how to pass jasypt decryption password into deployed application for startup?
Heroku has Config Vars, but they do not seem secure, considering that all of them could be revealed on the dashboard
Is there a secure way to send a password into deployment?
the Config Vars is the accepted mechanism to pass runtime information to the apps upon deployment;
It is pretty secure if the access to the Dashboard is controlled of course (those settings are never exposed or logged), only the owner can reveal the values.
I need create fake CAS server on localhost. I copy this repo and I run this. But now I have problem with access to Administration panel or something like that on user: casuser and password: Mellon.
Is there any UI to manage CAS? How can I configure CAS to use this as localhost authentication server?
Is there any UI to manage CAS?
There is a UI that would allow one to manage application registrations and policies with CAS, but as of this writing, there is no UI to manage the CAS configuration itself. The Spring Boot Admin project might be an option to research.
Today, CAS configuration more or less is a source-driven process where you configure modules via build.gradle file and relevant configuration via a cas.properties file. You'll need to edit these by hand to prep your deployment.
I'd like to have my Scala application server find out if it's running inside Heroku or CloudBees or Cloud Foundry or something else. Is there some standard way of finding out which Java hosting provider is currently in use? (if any)
Perhaps the hosting provider's firewall/load-balancer/whatever adds some standard HTTP header that the app server could check? Or perhaps it's possible to do hosting provider specific checks somehow, for the most popular hosting providers?
Background: The app server could then show helpful tips to the server admin that tells him/her how to view the server's log files. This would be useful during the initial setup of the server + database, because then the admin needs to find a certain magic password in the log file, which s/he then uses to get access to the admin interface web pages the very first time (before any admin user exists in the database, see this security question). — The installation would be more user-friendly, if the server could tell the admin exactly how to view the log files (which varies from hosting provider to hosting provider).
In the case of cloudbees there are several ways, none of which are guaranteed to be future proof (given changing containers).
Perhaps what is needed is a standard environment variable to make this doable.
Is it possible to use LDAP authentication with Liquibase?
If not, how have others solved the problem of automating changes to production database schemas using Liquibase (yet still keeping the database credentials secure)?
LDAP is used for server-side authentication. Not all databases support it, for example MySQL only supports it in it's Enterprise version.
Securing the credentials, used by clients like liquibase, falls into two categories:
Protecting data in transit
Protecting credentials at rest
To protect credentials in transit, I'd recommend using a JDBC driver which supports SSL. Some JDBC drivers support this feature, for example MySQL. Another approach is to tunnel the JDBC traffic over a SSH tunnel.
Protecting credentials at rest (in configuration files) is more difficult and depends on how you plan to invoke liquibase. If you're using ANT, I'd suggest using the answer to this question on how to read encrypted property files.