Hook for Decrypting Passwords with Spring Cloud Connectors - ibm-cloud

We have an application that is deployed into CloudFoundry/Bluemix. The application reads its database connections from the VCAP_SERVICES environment variable. The db password stored in the environment variable is encrypted and we decrypt it when the application boots up.
We are looking at Spring Cloud Service Connectors. Do the cloud connectors provide any hook, so that we can decrypt the password from VCAP_SERVICES before the DataSource instance is created?

Why do you want to do this? Where does the app get its decryption key from? If it's hard-coded in the app, that's an antipattern that will make it hard to rotate the key. If it's through an environment variable, then it's no more secure than storing the database credentials unencrypted as services in Cloud Foundry - services in CF are nothing more than domain-specific groups of environment variables. I can't see that encrypting them adds any security.
To answer the question: Not out-of-the-box, but you could probably intercept the flow of Spring components that act on the environment variables that Cloud Foundry provides to your app.
The abstract class that creates ServiceInfo instances is CloudFoundryServiceInfoCreator. You could look at maybe providing a custom implementation of this? There is a blog post describing how Spring Cloud Connectors works. You might be able to extend CloudFoundryConnector too.

Related

Encrypted Keystore instead of Location Path

I have a enterprise level Kafka hosted in AWS Cluster. I'm trying to consume a topic from AWS Cluster. I need to use SSL protocol for connecting to servers.
From documentation i found that, i need to enable few properties,
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
I have a problem here, i cannot store the keystore.jks and truststore.jks in the source. Our security does not allow storing sensitive data in the source.
Instead I have a encrypted keystore file, which I pull it from Vault.
Is there a possibility that i can use this encrypted keystore? I don't see such feasibility in the documentation.
A local file path is needed for SSL certificates. You'll need a wrapper script before your code starts (or before the main method consumer logic) that will download the necessary information from Vault and fills in the properties files/configs
Or use a library that handles this, such as Spring Vault

Does Jboss Vault have a java API?

I have a spring application running on Jboss. I have passwords that I dont want to store in the DB. Those passwords are used inside the application code e.g. Email account password to send emails via Java mail API.
I would like to store the passwords in the JBoss Vault.
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html/how_to_configure_server_security/securely_storing_credentials#password_vault
My question is does this tool have a java API? Can I store and retrive the password inside my application code?
I know that I can call the vault.bat from my java code, but I was checking for a better idea.
The Vault mechanism
Hello, so you can use the Vault to encrypt the data that are appear on the configuration files of JBoss. You can use for example to encrypt the DB password that you use on the standalone.xml configuration. It is not an API perse.
Application Encryption
That vault mechanism is not appropriate to encrypt application side data, you will need to do this you can follow the answer provided by Johannes Brodwall seems very complete and the complementary answer by user1007231 will help you with the Master password.
Credential Store
As the Guide Suggests on 3.1 Credential Store, it is recommended to use a Credential Store.

Using AWS KMS and/or credstash with non AWS server

Is it possible to use AWS KMS and a tool like credstash without the use of EC2 or equivalent or does it rely solely on IAM roles?
I've got a server elsewhere where I am testing some things out and ultimately I will be looking at migrating an app to EC2 etc. to make use of scaling. But for now whilst I'm setting up my deployment pipeline etc. I wondered if it was still possible to make use of KMS on my non-aws provisioned server?
The only possible way I can think of is by installing the AWS CLI tools on the server in question. Does this sounds like the right approach?
What #Viccari said is correct (in the comments). In terms of what you want to do (store passwords), the AWS Parameter Store would be a good fit for you. See https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html for more information. The guide explicitly calls out your use-case:
Parameter Store offers the following benefits and features.
Use a secure, scalable, hosted secrets management service (No servers to manage).
In the end, if you end up using Parameter Store or KMS, you will need some sort of credentials stored somewhere to grab an AWS STS token to use to call the underlying AWS services. If working outside of AWS EC2, you will need the AWS Access Key and AWS Secret Key from an IAM user. If you are in EC2, the IAM instance role will magically provide you the credentials and use that role to call those AWS services. The AWS SDK does this for you behind the scenes.
But, as you state, you don't want to run this in EC2 (to save money, or other reasons). The quickest way to store these credentials is to have them in a un-tracked file (added to your .gitignore) you can source from as environment variables, which your program will then read. This allows you to do local testing, and easily run it in EC2
with zero code changes. See https://docs.aws.amazon.com/cli/latest/userguide/cli-environment.html for what variables to set. Note that this doc talks about the CLI; the SDK's follow the same behavior.

Production Environment for Spring Cloud Config using Git/Vault

Spring Boot - 2.0.0.M3
Spring cloud - Finchley.M1
I want to know if someone is using Spring Cloud config server with both vault and git support in a production setup using Database storage backend.
I have evaluated Spring cloud config using vault and contemplating whether to go for Oracle JCE to encrypt username/pwd or Vault and seek suggestions on the same. we are working on Springboot/microservices.
Following are my findings -
Vault will introduce an additional layer and thus will introduce additional usecases of security, auditing while communicating with Vault.
Spring cloud Config actuator endpoints are broken for the milestone release at this point for generation of encrypted values and /encrypt /decrypt may not work if we go for Oracle JCE support so we generate encrypted values through stable versions.
We do not wish to use consul server and are trying to use Cassandra as Storage backend.
I used Vault Authentication backend using AppRole and generated a Token (different from root token as it's unsafe to use the same) with read permissions. However, Spring Cloud config at the moment support only Token based authentication from client side. That means we first generate token from Vault and then pass it as commandline/env variable.
Some additional points of concern are expiry of token (though we can have non-expiry token not sure about pros/cons), restarts, safety issues, instantiating new microservices. There is no provision of dynamic tokens/authentication at cloud config side.
For milestone release i found that the client side encryption/decryption is not working as of now using recommended inclusion of RSA jar. Here is the ticket i opened.
https://github.com/spring-cloud/spring-cloud-config/issues/805#issuecomment-332491536
These are some of my observations, please share your thoughts if there is any case study/whitepaper that address spring cloud config vault usecases, setup and challenges for production micro-services environment.
Thanks
Thanks for reaching out to me. One think I would state is that the App Role backend utilizes two distinct tokens, and indeed spring-cloud-config-vault does indeed support this functionality, see: http://cloud.spring.io/spring-cloud-vault/single/spring-cloud-vault.html#_approle_authentication. I leverage vault in the same way I leverage config server, as per the documentation. I don't encrypt any values in my config, I just don't put them there. I put the secret values in vault and let it serve config. As long as keys don't collide, you don't have to mess with anything, otherwise you may need adjust the priority so vault wins, again see the documentation that I pointed to above. I wouldn't mess with encryption/decryption in spring-cloud-config personally. Because you have to check the keys into SCM or distribute them to your teams for local development, you lose the value of having these keys IMO.
Thanks Spring Cloud vault does support but not Spring cloud config with Vault. Only way seems to be passing X-Config-token from Microservice to Config Server. We are bit skeptical with this part of generating tokens manually or through script. Especially with containerization and when new MS instances will be spawn. Not sure about this approach especially in production setup.

How to get VCAP_SERVICES environment variables WITHOUT binding to an application?

Frequently, I'm create standalone services in Bluemix. For example, Analytics for Apache Hadoop, Cloudant and DashDB.
I don't need an application to work with these services, but it seems I have to bind to an application just to get access to the VCAP_SERVICES environment variables with urls, usernames, passwords, etc.
Question: How to get VCAP_SERVICES environment variables WITHOUT binding to an application?
For many services, you will have to bind them to an app in order to get the VCAP_SERVICES credentials.
There is a service key capability which some services are starting to adopt which allows you to create and access credentials without binding to an app. Using the cf command line tool, the commands below are available to use if a service supports them:
SERVICES:
create-service-key, csk Create key for a service instance
service-keys, sk List keys for a service instance
service-key Show service key info
delete-service-key, dsk Delete a service key
The CloudFoundry docs at https://docs.cloudfoundry.org/devguide/services/service-keys.html provide more detail.
In the Bluemix UI, you would see a 'Service Credentials' option in the panel when viewing a service dashboard when a service supports this capability. Selecting this option allows you to see credentials that have been created as well as an "Add Credentials" button to create new ones.