Encrypting passwords with Aries JPA

[Kent Olsen <kc...@earthlink.net>]

I am using Aries JPA in conjunction with OpenJPA in Apache Karaf and have a need to use encrypted database passwords.  I am using a blueprint.xml file to configure the Aries data source for a database.  The code will be deployed to several different environments where the database information will differ.  Because of this I was planning to deploy a different blueprint.xml data source for each different environment.

OpenJPA provides a mechanism to work with encrypted passwords by specifying an EncryptionProvider in the persistence.xml file.  I have tried adding the encryption provider to persistence.xml.  OpenJPA does call it to to the decryption, but since the user name and password are in the data source blueprint.xml file, Aries binds it after OpenJPA does the decryption call for the password.  I suspect it would work if I put the username and password in persistence.xml.  The problem with that is that I wanted to just deploy a different blueprint.xml rather than a different persistence.xml.

I have also tried setting this configuration in code by tweaking the OpenJPAConfiguration object, but the EntityManagerFactory handed out by Aries is a wrapper.

I was wondering if anyone has any suggestions on how to get this working with just configuration?  Are there any code-based approaches to do this?

Thanks in advance,
Kent Olsen

Re: Encrypting passwords with Aries JPA

[Kent Olsen <kc...@earthlink.net>]

Thanks Tim for your response.  I am using version 0.3 of the container 
that is bundled as a Karaf feature.  It is clearly a timing issue.  
OpenJpa is getting the credentials for the persistence unit and trying 
to decrypt the password before Aries has done its part.  At that point 
the password is still null (not yet injected) from blueprint.xml.

I was able to work around the issue by getting the data source as a 
blueprint container instance and manually setting the credentials in 
code at run time before getting an EntityManager from the factory.

On 4/2/2011 6:04 AM, Timothy Ward wrote:
> Hi Kent,
>
> What version of the Aries JPA container are you using? There were a number of timing issues around JPA datasources that were improved through the use of a delayed lookup in the JPA container, this passes a proxy datasource to OpenJPA and only does the real lookup when the first Database connection is requested. This might give you the
> opportunity you need? If you are able to pass in the javax.persistence.jdbc.password property at runtime that might also help.
>
> Let me know how you get on,
>
> Regards,
>
> Tim
>
> ----------------------------------------
>> Date: Mon, 28 Mar 2011 17:37:09 -0600
>> From: kcolsen@earthlink.net
>> To: user@aries.apache.org
>> Subject: Encrypting passwords with Aries JPA
>>
>> I am using Aries JPA in conjunction with OpenJPA in Apache Karaf and have a need to use encrypted database passwords. I am using a blueprint.xml file to configure the Aries data source for a database. The code will be deployed to several different environments where the database information will differ. Because of this I was planning to deploy a different blueprint.xml data source for each different environment.
>>
>> OpenJPA provides a mechanism to work with encrypted passwords by specifying an EncryptionProvider in the persistence.xml file. I have tried adding the encryption provider to persistence.xml. OpenJPA does call it to to the decryption, but since the user name and password are in the data source blueprint.xml file, Aries binds it after OpenJPA does the decryption call for the password. I suspect it would work if I put the username and password in persistence.xml. The problem with that is that I wanted to just deploy a different blueprint.xml rather than a different persistence.xml.
>>
>> I have also tried setting this configuration in code by tweaking the OpenJPAConfiguration object, but the EntityManagerFactory handed out by Aries is a wrapper.
>>
>> I was wondering if anyone has any suggestions on how to get this working with just configuration? Are there any code-based approaches to do this?
>>
>> Thanks in advance,
>> Kent Olsen
>>
>   		 	   		

RE: Encrypting passwords with Aries JPA

[Timothy Ward <ti...@apache.org>]

Hi Kent,

What version of the Aries JPA container are you using? There were a number of timing issues around JPA datasources that were improved through the use of a delayed lookup in the JPA container, this passes a proxy datasource to OpenJPA and only does the real lookup when the first Database connection is requested. This might give you the
opportunity you need? If you are able to pass in the javax.persistence.jdbc.password property at runtime that might also help.

Let me know how you get on,

Regards,

Tim

----------------------------------------
> Date: Mon, 28 Mar 2011 17:37:09 -0600
> From: kcolsen@earthlink.net
> To: user@aries.apache.org
> Subject: Encrypting passwords with Aries JPA
>
> I am using Aries JPA in conjunction with OpenJPA in Apache Karaf and have a need to use encrypted database passwords. I am using a blueprint.xml file to configure the Aries data source for a database. The code will be deployed to several different environments where the database information will differ. Because of this I was planning to deploy a different blueprint.xml data source for each different environment.
>
> OpenJPA provides a mechanism to work with encrypted passwords by specifying an EncryptionProvider in the persistence.xml file. I have tried adding the encryption provider to persistence.xml. OpenJPA does call it to to the decryption, but since the user name and password are in the data source blueprint.xml file, Aries binds it after OpenJPA does the decryption call for the password. I suspect it would work if I put the username and password in persistence.xml. The problem with that is that I wanted to just deploy a different blueprint.xml rather than a different persistence.xml.
>
> I have also tried setting this configuration in code by tweaking the OpenJPAConfiguration object, but the EntityManagerFactory handed out by Aries is a wrapper.
>
> I was wondering if anyone has any suggestions on how to get this working with just configuration? Are there any code-based approaches to do this?
>
> Thanks in advance,
> Kent Olsen
>