Recently, we came across a business requirement where we had to save API keys (secured date) in OSGI service. One of the recommendations based on Adobe Health Check is to encrypt data (API keys) to store them in JCR more securely. The same can be achieved using Crypto Support in AEM.
The Crypto Support Bundle provides a service that encrypts/decrypts binary or String data in AEM. On exploring further, it seems to be nailing the issue of encryption and decryption in just a few minutes. Crypto support is necessary to store the password in a salted or hashed form in the JCR so as to make the password storage secure and to avoid any breach.
The following steps will elaborate on the mechanism to generate an encrypted key.
Step 1: Protecting the Plain Text
Crypto Support bundle provides a service that allows users to generate the “Protected Text” from the “Plain Text” input.
Open the URL http://<host>:<port>/<system/console/crypto>
In the “Plain Text” field, add the string which needs to be encrypted and press the protect button. The “Protected Text” field will show the encrypted string to be used. plain text string The encryption algorithm used in this procedure is symmetric key encryption namely AES algorithm, CBC mode with PKCS5 padding used from the RSA JSafe library.
For instance, while setting up the SMTP configurations, it is not ideal to keep the password as a plain text in the OSGI config. The best way to do is to encrypt the password using Crypto Support and then use the Protected Text in the SMTP Configurations.
The next step is to decrypt the protected text in the backend code so as to fetch the original password, which is easy.
The Crypto Support Bundle provides a service that encrypts/decrypts binary or String data in AEM. On exploring further, it seems to be nailing the issue of encryption and decryption in just a few minutes. Crypto support is necessary to store the password in a salted or hashed form in the JCR so as to make the password storage secure and to avoid any breach.
The following steps will elaborate on the mechanism to generate an encrypted key.
Step 1: Protecting the Plain Text
Crypto Support bundle provides a service that allows users to generate the “Protected Text” from the “Plain Text” input.
Open the URL http://<host>:<port>/<system/console/crypto>
In the “Plain Text” field, add the string which needs to be encrypted and press the protect button. The “Protected Text” field will show the encrypted string to be used. plain text string The encryption algorithm used in this procedure is symmetric key encryption namely AES algorithm, CBC mode with PKCS5 padding used from the RSA JSafe library.
For instance, while setting up the SMTP configurations, it is not ideal to keep the password as a plain text in the OSGI config. The best way to do is to encrypt the password using Crypto Support and then use the Protected Text in the SMTP Configurations.
The next step is to decrypt the protected text in the backend code so as to fetch the original password, which is easy.
Step 2: Decrypt the Protected Text.
Since the OSGI configuration has the “Protected Text” configured, it is required to decrypt the value before actually using it.
Following code, the sample is used to decrypt the password:
Since the OSGI configuration has the “Protected Text” configured, it is required to decrypt the value before actually using it.
Following code, the sample is used to decrypt the password:
@Reference
private CryptoSupport cryptoSupport;
private void setEmailConfiguration(Object smtpHost,Object smtpPort,Object smtpUser,Object smtpPwd,Object from Address){
String password=PropertiesUtil.toString(smtpPwd,StringUtil.EMPTY);
if(this.cryptoSupport.isProtected(password)){
this.smtpPassword=this.cryptoSuport.unProtect(password);
} else {
this.smtpPassword=password;
}
}
The method unprotect(String cipherText) unprotects (decrypts) the string to return the plain text. We can also check if the String is already protected by using the isProtected(String text)method. This method returns true if the String provided is protected.
Note that we are not done yet. The protected string generated by Crypto Support will be different for different instances. One last step is required to make sure the same protected text can be used throughout. It is an optional step if different protected strings need to be used in different instances.
Step 3 (Optional): To Make the Protected Text Same for all the AEM Instances.
If we intend to use the same protected text for all the environments (it is recommended to use different passwords for the production environment to ensure data integrity), then we need to follow the below steps.
Download the hmac and master files from the /etc/key current instance. The encryption uses a key that is created with AEM installation in the OS filesystem under crx-quickstart. These are binary files that are randomly generated at the start of Adobe Granite Crypto Support bundle.
Note that we are not done yet. The protected string generated by Crypto Support will be different for different instances. One last step is required to make sure the same protected text can be used throughout. It is an optional step if different protected strings need to be used in different instances.
Step 3 (Optional): To Make the Protected Text Same for all the AEM Instances.
If we intend to use the same protected text for all the environments (it is recommended to use different passwords for the production environment to ensure data integrity), then we need to follow the below steps.
Download the hmac and master files from the /etc/key current instance. The encryption uses a key that is created with AEM installation in the OS filesystem under crx-quickstart. These are binary files that are randomly generated at the start of Adobe Granite Crypto Support bundle.
Create the /etc/key node for the destination instance and copy the above two files.
Deploy the code and make sure to restart “com.adobe.granite.crypto” for the very first time you upload these keys and make cryptography effective.
Note: If we manually stop the Crypto Support bundle, then AEM login fails and the user will be unable to login with any user. Hence, it is always recommended to use the CURL command at the root directory of the server with the admin user only to restart the crypto support bundle.
CURL command to stop the bundle:
curl -u admin:admin
http://<host>:<port>/system/console/bundles/com.adobe.granite.crypto -F action=stop
CURL command to start the bundle:
curl -u admin:admin
http://<host>:<port>/system/console/bundles/com.adobe.granite.crypto -F action=start
Reference: https://www.argildx.com/technology/crypto-support-aem/
Deploy the code and make sure to restart “com.adobe.granite.crypto” for the very first time you upload these keys and make cryptography effective.
Note: If we manually stop the Crypto Support bundle, then AEM login fails and the user will be unable to login with any user. Hence, it is always recommended to use the CURL command at the root directory of the server with the admin user only to restart the crypto support bundle.
CURL command to stop the bundle:
curl -u admin:admin
http://<host>:<port>/system/console/bundles/com.adobe.granite.crypto -F action=stop
CURL command to start the bundle:
curl -u admin:admin
http://<host>:<port>/system/console/bundles/com.adobe.granite.crypto -F action=start
Reference: https://www.argildx.com/technology/crypto-support-aem/
No comments:
Post a Comment
If you have any doubts or questions, please let us know.