Securing the UltraESB configuration

Skip to content

Securing the UltraESB configuration

This article describes ways to secure passwords and other confidential information included in the UltraESB configuration in production environments. The use of Jasypt and a custom utility using the same encryption as JBoss AS to secure passwords is described

Securing the configuration

The UltraESB configuration may usually contain sensitive security information such as passwords used for authentication or database access. When deploying in a production environment, it is possible to secure these values from being visible in configuration using the optional Jasypt library [http://www.jasypt.org/], or the utility shipped by default with the UltraESB 1.5.1 onwards.

Using Jasypt

Jasypt uses password based encryption, and generates unique strings even when the same password is encrypted under two scenarios. Use of Jasypt requires a master key, which could be specified as an Environment variable if desired.

To store an encrypted password in the configuration, first use the encrypt.sh/bat scripts from the bin directory as follows, and save the encrypted output generated. As mentioned before, note that the same input will result in different outputs on each execution run. See [http://www.jasypt.org/cli.html] for more information.

$ ./encrypt.sh input="password" password=jasypt verbose=false algorithm=PBEWithMD5AndDES
Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0

To use the encrypted password, please refer to the standard Jasypt documentation at [http://www.jasypt.org/encrypting-configuration.html] on how Jasypt works with a Spring configuration. For example, we could now place the above encrypted output in the conf/encrypted.properties file as follows.

secure_password=ENC(Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0)

To specify this encrypted password to the SSL keystore (e.g. line # 3 and 4 below), we could configure the https transport as follows, and un-comment the Jasypt propertyconfigurer as shown below. In the following example, the master key is specified inline at line #26 in clear text. By un-commenting lines 18-22 and commenting 24-27, you can tell Jasypt to read the master key from an environment variable (e.g. APP_PASSWORD in this case)

<bean id="https-8443" class="org.adroitlogic.ultraesb.transport.http.HttpsNIOListener">
    ...
    <property name="identityKeyPassword" value="${secure_password}"/>
    <property name="identityStorePassword" value="${secure_password}"/>
    ...
</bean>
...
<!--
    Uncomment to use Jasypt to secure passwords used on this configuration (e.g. keystore, DB passwords etc)
    e.g. specify the HTTPS identity store password as <property name="identityKeyPassword" value="${secure_password}"/>
    where the default conf/encypted.properties file contains the below encrypted password
    secure_password=ENC(Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0)
-->
<bean id="propertyConfigurer" class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer">
    <constructor-arg>
        <bean class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
            <property name="config">
                <!-- Use this to specify the Jasypt password as an Environment variable (e.g. named APP_PASSWORD)-->
                <!--<bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
                    <property name="algorithm" value="PBEWithMD5AndDES"/>
                    <property name="passwordEnvName" value="APP_PASSWORD"/>
                </bean>-->
                <!--A simple hard coded master password (e.g. "jasypt") for Jasypt-->
                <bean class="org.jasypt.encryption.pbe.config.SimpleStringPBEConfig">
                    <property name="algorithm" value="PBEWithMD5AndDES"/>
                    <property name="password" value="jasypt"/>
                </bean>
            </property>
        </bean>
    </constructor-arg>
    <property name="locations">
        <list>
            <value>encrypted.properties</value>
        </list>
    </property>
</bean>

Using the custom encryption utility

The UltraESB v1.5.1 onwards includes a custom utility to encrypt and decrypt passwords for use with the UltraESB. Again the encrypt.sh/bat is used as shown below.

$ ./encrypt.sh -secure mysecretpassword
BIGINT16(242649d246c219535dfc52b51bd35553df8592078de921bc)

The default execution generates an encrypted password compatible with the method used by JBoss AS. NOTE: THIS DEFAULT IS NOT A SECURE PASSWORD, AS IT USES A HARD CODED PASSPHRASE. However, for most production uses, this level of protection maybe adequate. Next the value output by the script should be fed into the conf/encrypted.properties as follows.

jasypt_secured_password=ENC(Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0)
simple_secured_password=BIGINT16(5dfc52b51bd35553df8592078de921bc)
salted_secured_password=SALTEDBIGINT16(5dfc52b51bd3555348aab25bcaae358ba6697cc62e0f6fed44eca159f7572afdda48343bf69725f9)

The example above shows three possible variations to secure passwords. The line #1 shows the use of Jasypt, while line #2 shows the default encryption (as per JBoss AS methodology) and line #3 shows the custom encryption with an additional salt.

The configuration snippet shown below should then be uncommented from the ultra-root.xml and customized as desired. Then the configuration could specify "${simple_secured_password}" etc as per the earlier example, and decrypt the actual value at runtime. Be sure to ensure that if the algorithm, password and salted flag are modified, that they correspond to those used in the encryption of the value as well. The "passwordEnvVar" attribute can specify the name of an Environment variable, that could alternatively hold the password or the master key instead of the clear-text "password" attribute

<!--To encrypt the passwords using a rather simple mechanism (the same used in JBoss AS) use the following bean. To
improve the password with a salt, you could set the salted attribute to true, forcing a unique string on each run-->
<bean class="org.adroitlogic.ultraesb.util.encrypt.SecurePropertyManager" init-method="init">
    <!--<property name="salted" value="true"/-->
    <!--<property name="algorithm" value="Blowfish"/-->
    <!--<property name="password" value="masterkey"/-->
    <!--<property name="passwordEnvVar" value="APP_PASSWORD"/-->
    <property name="location">
        <value>encrypted.properties</value>
    </property>
</bean>

$ ./encrypt.sh -secure 
Invalid arguments. Execute as follows:
java SecurePropertyManager [-decrypt] <secret> [-p<password>] [-a<algorithm>] [-salted]

By executing the encrypt.sh/bat as above, one could look into the possible options for the custom encryptor. The -p<password> option and -a<algorithm> option could be specified on the command line. The default algorithm is "Blowfish". Optionally, one could use the script to decrypt an encrypted password as well.

Here are some examples showing the various aspects

$ ./encrypt.sh -secure mysecretpassword -pmasterkey -aBlowfish
BIGINT16(2fbb8ceb5c7f5cda2b7123550ff30b8b92ba1926f9151960)

$ ./encrypt.sh -secure -decrypt "BIGINT16(2fbb8ceb5c7f5cda2b7123550ff30b8b92ba1926f9151960)" -pmasterkey -aBlowfish
mysecretpassword

$ ./encrypt.sh -secure mysecretpassword -salted
SALTEDBIGINT16(242649d246c219535dfc52b51bd3555348aab25bcaae358bd08a8d27eedb49a7b88ea5c909f53a9b3d8806a6de5726fd)

$ ./encrypt.sh -secure -decrypt "SALTEDBIGINT16(242649d246c219535dfc52b51bd3555348aab25bcaae358bd08a8d27eedb49a7b88ea5c909f53a9b3d8806a6de5726fd)" -salted
mysecretpassword