Skip to main content Skip to complementary content

Encrypting passwords in CXF crypto property files

About this task

Since CXF version 3.X, CXF uses Apache WSS4J 2.X which according to http://ws.apache.org/wss4j/migration/newfeatures20.html supports encrypting passwords in Crypto properties files using Jasypt.

In http://stackoverflow.com/questions/31023223/encrypting-passwords-in-crypto-property-files, a more detailed description can be found:

Procedure

  1. Download the jasypt-1.9.2-dist.zip (or newer) from http://www.jasypt.org/download.html.
  2. Get an Encoded password with this command encrypt input=real_keystore_password password=master_password algorithm=PBEWithMD5AndTripeDES
  3. Copy the OUTPUT (For example: 0laAaRahTQJzlsDu771tYi)
  4. As you are using this algorithm, you need the Java Cryptography Extension (JCE) Unlimited Strength in your JDK.
  5. Put the encoded OUTPUT in the properties. 
    org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
org.apache.wss4j.crypto.merlin.keystore.type=jks
org.apache.wss4j.crypto.merlin.keystore.password=ENC(0laAaRahTQJzlsDu771
tYi)
org.apache.wss4j.crypto.merlin.keystore.alias=my_alias
org.apache.wss4j.crypto.merlin.keystore.file=/etc/cert/my_keystore.jks
  6. In the CallbackHandler, put the master_password that you used to generated the encoded one: 
    public class WsPasswordHandler implements CallbackHandler {
  @Override
  public void handle(Callback[] callbacks) throws IOException,
        UnsupportedCallbackException {
    for (Callback callback: callbacks){
        WSPasswordCallback pwdCallback= (WSPasswordCallback) callback;
        final int usage=pwdCallback.getUsage();
        if (usage==WSPasswordCallback.SIGNATURE||usage==WSPasswordCallback.DECRYPT){
            pwdCallback.setPassword("parKeyPassword");
        }
        if (usage==WSPasswordCallback.PASSWORD_ENCRYPTOR_PASSWORD){
            pwdCallback.setPassword("master_password");
        }
    }
  }
}

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here