Skip to first unread message
Ulrich Mayring
Jul 10, 2017, 10:11:07 AM7/10/17
to Payara Forum
Hi all,
let's say I have a set of microservices (WARs) that I deploy to one or more Payara instances and they need to talk to each other using some type of secret for authentication. These are not human user credentials, but more like API tokens (meaning that admins are allowed to know those secrets).
I don't want to store the secret in the WAR, because that is built off Github sources on a public CI server. I also don't want to store the secret in the filesystem of the machine running Payara. My idea is to manually type the secret into the Payara admin console (which I have to secure anyway) and then have Payara store it securely. There appears to be no obvious feature in Payara to manage secrets, for instance the passwords in JDBC connection pools (or even custom JNDI resources) are stored in clear text in the domain.xml file.
One option would be to not store the secrets on disk at all, but just keep them in memory. On restarting Payara I would have to type them in again, but that seems doable. The main question is how can I store the secret in Payara in a way such that my microservices can access it but no one else (outside the Payara admin of course)?
Ulrich
let's say I have a set of microservices (WARs) that I deploy to one or more Payara instances and they need to talk to each other using some type of secret for authentication. These are not human user credentials, but more like API tokens (meaning that admins are allowed to know those secrets).
I don't want to store the secret in the WAR, because that is built off Github sources on a public CI server. I also don't want to store the secret in the filesystem of the machine running Payara. My idea is to manually type the secret into the Payara admin console (which I have to secure anyway) and then have Payara store it securely. There appears to be no obvious feature in Payara to manage secrets, for instance the passwords in JDBC connection pools (or even custom JNDI resources) are stored in clear text in the domain.xml file.
One option would be to not store the secrets on disk at all, but just keep them in memory. On restarting Payara I would have to type them in again, but that seems doable. The main question is how can I store the secret in Payara in a way such that my microservices can access it but no one else (outside the Payara admin of course)?
Ulrich
Mike Croft
Jul 10, 2017, 12:49:16 PM7/10/17
to Ulrich Mayring, Payara Forum
Hi Ulrich,
I think what you're looking for is the password alias feature of Payara. Let's take your JDBC password example.
Assuming I have a DB password of "secretDBpassword" for a production database used for myApp I could do the following:
- Create a password alias:
asadmin> create-password-alias myApp-production-db
Please enter the alias password> // enter secretDBpassword
Please enter the alias password again> // enter secretDBpassword
Command create-password-alias executed successfully. - Set the value of the password property to:
${ALIAS=myApp-production-db}
This doesn't have to be used for passwords. Any string can be stored as an alias.
--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/32644d1b-9175-434e-9075-1512288f3e1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ulrich Mayring
Jul 10, 2017, 1:38:04 PM7/10/17
to Payara Forum, real...@gmail.com
Hi Mike,
looks pretty nifty, many thanks for that tip. How is that secret then stored? Encrypted with a Salt on disk? Alongside the admin and master passwords for asadmin?
Kind regards,
Ulrich
looks pretty nifty, many thanks for that tip. How is that secret then stored? Encrypted with a Salt on disk? Alongside the admin and master passwords for asadmin?
Kind regards,
Ulrich
Steve Millidge
Jul 10, 2017, 1:49:39 PM7/10/17
to Payara Forum
Hi Ulrich
As Mike says Payara does have password aliases. My question would be what are you trying to achieve with this token as that will determine the best approach?
If you want to ensure only a closed set of microservices talk to each other this could be achieved purely using 2 way SSL Auth between servers using certificates you create in your own CA. A bit of a faff to setup but it is only configuration and when complete is transparent to an application developer while also giving you confidentiality.
When talking security it is good to know exactly what you are trying to achieve out of identification, authentication, authorisation, confidentiality etc.
Steve
As Mike says Payara does have password aliases. My question would be what are you trying to achieve with this token as that will determine the best approach?
If you want to ensure only a closed set of microservices talk to each other this could be achieved purely using 2 way SSL Auth between servers using certificates you create in your own CA. A bit of a faff to setup but it is only configuration and when complete is transparent to an application developer while also giving you confidentiality.
When talking security it is good to know exactly what you are trying to achieve out of identification, authentication, authorisation, confidentiality etc.
Steve
Ulrich Mayring
Jul 10, 2017, 2:16:51 PM7/10/17
to Payara Forum
Hi Steve,
it's like an API token, I need it for authentication. Transport security is already taken care of, so all I need is a way to store the secret within Payara, so my microservices can access it. I'm using the Letsencrypt CA, they don't support client certificates. The password aliases are absolutely fine, if they are stored in a reasonably secure way.
cheers,
Ulrich
it's like an API token, I need it for authentication. Transport security is already taken care of, so all I need is a way to store the secret within Payara, so my microservices can access it. I'm using the Letsencrypt CA, they don't support client certificates. The password aliases are absolutely fine, if they are stored in a reasonably secure way.
cheers,
Ulrich
Reply all
Reply to author
Forward
0 new messages