October 2, 2020
Estimated Post Reading Time ~

How to Use Encrypted Password for OOTB Configurations

1. Encrypted Password for OOTB Configurations: We always talk about making
passwords in an encrypted value as part of the codebase to secure the password.To tackle this issue, we always talk about CryptoSupport in AEM. So basically if there are a custom configuration and a need to use an encrypted password, I can use the concept of cryptosupport in AEM.

But there are few OSGi Configurations in AEM like “JDBC ODBC Connection Pool” or “Adobe Granite SAML 2.0 Authentication Handler” having password fields, So can we use cryptosupport concept here too??

So the answer is yes, you can keep encrypted value in the “password fields” directly in these configurations and for the decryption part, you don’t need to worry. AEM will take care of it. To encrypt a password, go through the cryptosupport console in AEM.

Conclusion: We need to understand this very clearly that if we define a field as "Password type" either in OOTB or custom configurations, we don’t need to worry about the decryption part, just configure the encrypted value in the field, and AEM will understand that because it is a password field, it may need to decrypt it.
But if your field is a plain text, then you have to take care of the decryption part as mentioned in the previous post.

Fig1: For a password field, no need to write the logic for decryption.

2. AEM SAML Configuration in the Code Repository Issue: Recently while working on a project, I configured AEM SAML integration on the author instance and it just works fine. Now, this was the time to put the config in the code repository. So,
a) I put that config in the code repository (at /apps/<project-folder>/config.author.dev/com.adobe.granite.auth.saml.SamlAuthenticationHandler-myproject.xml
b) Deleted the manually created SAML configuration in Felix Console and performed a build and I was able to see the SAML config added by code.
c) I hit the Author URL and it doesn't take me to the IDP login page.
d) I go to Felix, open SAML config, click Save (without touching anything else) and I hit the Author URL again and now it takes me to the IDP login page.

Exactly the same issue I found on Adobe Community and the solution work for me.

Solution:
a) Name the file as: "com.adobe.granite.auth.saml.SamlAuthenticationHandler-<Project_Identifier>.config" (Make sure it is a regular file in Eclipse or IntelliJ); no need to add extension ".xml" at the end.
b) Inside this file, just add the configuration like a regular text. Please see below:

# Configuration created by Apache Sling JCR Installer
// Storing keyStorePassword as an encrypted manner.
keyStorePassword="{41bdcd34d9a34ae1c68bafa6b7b647443c429ad97e00a9f2cb5f876b2433}"
service.ranking=I"5002"
idpHttpRedirect=B"false"
createUser=B"true"
defaultRedirectUrl="/content/project/en/aem-assets.html"
userIDAttribute="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
assertionConsumerServiceURL=""
defaultGroups=["contributors"]
signatureMethod="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
idpCertAlias="certalias___xxxxxxxxxxxx"
addGroupMemberships=B"true"
path=["/content/projects"]
digestMethod="http://www.w3.org/2001/04/xmlenc#sha256"
synchronizeAttributes=""
clockTolerance=I"60"
groupMembershipAttribute="groupMembership"
idpUrl="IDP URL GOES HERE"
logoutUrl="logouturl"
serviceProviderEntityId="service_provider_entity_id"
handleLogout=B"true"
spPrivateKeyAlias=""
useEncryption=B"false"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"


You can also copy the content of the file from CRXDE, after you manually save the OSGi config thru /system/console/configMgr.

Note: This solution really worked for me, but logically it didn’t make any sense to me as while working on another project on AEM 6.5.4, the XML file used to work for me. I face this issue only in AEM 6.5.5 till now, So can’t really comment if this is an upgrade issue or something else.

So, If you face this issue in any of the AEM versions, you can directly try this solution.

Source: http://www.sgaemsolutions.com/2020/09/how-to-use-encrypted-password-for-ootb.html


By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.