About this task
Since CXF version 3.X, CXF uses Apache WSS4J 2.X which according to http://ws.apache.org/wss4j/migration/newfeatures20.html supports encrypting
passwords in Crypto properties files using Jasypt.
In http://stackoverflow.com/questions/31023223/encrypting-passwords-in-crypto-property-files,
a more detailed description can be found:
Procedure
-
Download the jasypt-1.9.2-dist.zip (or newer) from http://www.jasypt.org/download.html.
-
Get an Encoded password with this command
encrypt
input=real_keystore_password password=master_password
algorithm=PBEWithMD5AndTripeDES
-
Copy the OUTPUT (For example: 0laAaRahTQJzlsDu771tYi)
-
As you are using this algorithm, you need the Java Cryptography Extension
(JCE) Unlimited Strength in your JDK.
-
Put the encoded OUTPUT in the properties.
org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
org.apache.wss4j.crypto.merlin.keystore.type=jks
org.apache.wss4j.crypto.merlin.keystore.password=ENC(0laAaRahTQJzlsDu771
tYi)
org.apache.wss4j.crypto.merlin.keystore.alias=my_alias
org.apache.wss4j.crypto.merlin.keystore.file=/etc/cert/my_keystore.jks
-
In the CallbackHandler, put the master_password that you used to generated the
encoded one:
public class WsPasswordHandler implements CallbackHandler {
@Override
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (Callback callback: callbacks){
WSPasswordCallback pwdCallback= (WSPasswordCallback) callback;
final int usage=pwdCallback.getUsage();
if (usage==WSPasswordCallback.SIGNATURE||usage==WSPasswordCallback.DECRYPT){
pwdCallback.setPassword("parKeyPassword");
}
if (usage==WSPasswordCallback.PASSWORD_ENCRYPTOR_PASSWORD){
pwdCallback.setPassword("master_password");
}
}
}
}