Encrypting passwords in CXF crypto property files - 7.0

Talend ESB Container Administration Guide

EnrichVersion
7.0
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Administration and Monitoring
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB

Since CXF version 3.X, CXF uses Apache WSS4J 2.X which according to http://ws.apache.org/wss4j/migration/newfeatures20.html supports encrypting passwords in Crypto properties files using Jasypt.

In http://stackoverflow.com/questions/31023223/encrypting-passwords-in-crypto-property-files, a more detailed description can be found:

  1. Download the jasypt-1.9.2-dist.zip (or newer) from http://www.jasypt.org/download.html

  2. Get an Encoded password with this command encrypt input=real_keystore_password password=master_password algorithm=PBEWithMD5AndTripeDES

  3. Copy the OUTPUT (For example: 0laAaRahTQJzlsDu771tYi)

  4. As you are using this algorithm, you need the Java Cryptography Extension (JCE) Unlimited Strength in your JDK.

  5. Put the encoded OUTPUT in the properties.

    org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
    org.apache.wss4j.crypto.merlin.keystore.type=jks
    org.apache.wss4j.crypto.merlin.keystore.password=ENC(0laAaRahTQJzlsDu771
    tYi)
    org.apache.wss4j.crypto.merlin.keystore.alias=my_alias
    org.apache.wss4j.crypto.merlin.keystore.file=/etc/cert/my_keystore.jks
  6. In the CallbackHandler, put the master_password that you used to generated the encoded one:

    public class WsPasswordHandler implements CallbackHandler {
      @Override
      public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {
        for (Callback callback: callbacks){
            WSPasswordCallback pwdCallback= (WSPasswordCallback) callback;
            final int usage=pwdCallback.getUsage();
            if (usage==WSPasswordCallback.SIGNATURE||usage==WSPasswordCallback.DECRYPT){
                pwdCallback.setPassword("parKeyPassword");
            }
            if (usage==WSPasswordCallback.PASSWORD_ENCRYPTOR_PASSWORD){
                pwdCallback.setPassword("master_password");
            }
        }
      }
    }