You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Adel Boutros <Ad...@live.com> on 2016/12/13 12:12:14 UTC
[Qpid Java Broker] Providing external encryptor for configuration
Hello,
In the Java Broker book, it is mentioned here [1] that the user can provide an external configuration encryptor by implementing ConfigurationSecretEncrypter.
However, I couldn't find in the book where it describes the process. For example, where should I place my implementation? (under lib folder of the broker or somewhere else?)
[1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-broker/book/Java-Broker-Security-Configuration-Encryption.html
Regards,
Adel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: [Qpid Java Broker] Providing external encryptor for configuration
Posted by Adel Boutros <Ad...@live.com>.
Hello Lorenz,
Indeed I figured it out by looking at the code. I actually had a wrong file structure under META-INF/services and my encryptor wasn't visible.
As for the AES, it is "conditionally available" and in my case it was not available. This is why I was seeing "None".
When I fixed the file structure, I could see my encryptor.
Thanks for your help!
Adel
________________________________
From: Lorenz Quack <qu...@gmail.com>
Sent: Thursday, December 15, 2016 5:13:20 PM
To: users@qpid.apache.org
Subject: Re: [Qpid Java Broker] Providing external encryptor for configuration
Hello Adel,
you would set this like any other attribute. something like this:
curl -u username localhost:8080/api/v6.1/broker -X POST -d
'{"confidentialConfigurationEncryptionProvider":"AESKeyFile"}'
However, we only allow valid values to be set. The error message from
that curl command will tell you which the broker believes to be valid
values. judging from what you wrote I guess that list will be empty
since the web management console uses the
localhost:8080/service/metadata which also uses the valid values.
In the code the valid values for the encryptors are calculated here:
org.apache.qpid.server.model.AbstractContainer#getAvailableConfigurationEncrypters
which is referenced from the @ManagedAttribute annotation on
org.apache.qpid.server.model.Broker#getConfidentialConfigurationEncryptionProvider
I believe those annotations are resolved in the onResolve stage of
broker start up.
I think it should find your Encryptor if it is on the class path. Not
entirely sure what else could be going wrong.
Could you check what curl -u username localhost:8080/service/metadata
returns under
Broker -> Broker -> attributes ->
confidentialConfigurationEncryptionProvider -> validValues
Kind regards,
Lorenz
On 15/12/16 15:29, Adel Boutros wrote:
> Hello,
>
>
> I don't understand how I activate the encryptor in the broker attributes using the Management API as referenced here [1].
>
> When I open the web console and edit the broker attribute, the only value for "config encryption" is non.
>
>
> Did I miss something? Can you please assist?
>
>
> [1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-broker/book/Java-Broker-Management-Managing-Broker.html
>
>
> Regards,
>
> Adel
>
> ________________________________
> From: Adel Boutros
> Sent: Tuesday, December 13, 2016 6:49:10 PM
> To: users@qpid.apache.org
> Subject: Re: [Qpid Java Broker] Providing external encryptor for configuration
>
>
> Thanks Rob again!
>
>
> We had understood that by reading the code itself.
>
>
> Don't you thinking it would be a good idea adding this explanation to the Book?
>
>
> Regards,
>
> Adel
>
> ________________________________
> From: Rob Godfrey <ro...@gmail.com>
> Sent: Tuesday, December 13, 2016 5:43:17 PM
> To: users@qpid.apache.org
> Subject: Re: [Qpid Java Broker] Providing external encryptor for configuration
>
> In order to be found, a configuration secret encrypter implementation
> requires an implementation of ConfigurationSecretEncrypterFactory which
> needs to be in the META-INF/services file for the jar in which your
> implementation provides the service (the Qpid codebase uses an annotation
> @Pluggable and an annotation proessor to generate the META-INF/sevices
> stuff automatically)
>
> -- Rob
>
> On 13 December 2016 at 16:33, Adel Boutros <Ad...@live.com> wrote:
>
>> Thanks Rob!
>>
>>
>> Are there any requirements at the level of the packaging of classes for
>> example under META-INF/services as Java service loader does?
>>
>>
>> Regards,
>>
>> Adel
>>
>> ________________________________
>> From: Rob Godfrey <ro...@gmail.com>
>> Sent: Tuesday, December 13, 2016 3:24:17 PM
>> To: users@qpid.apache.org
>> Subject: Re: [Qpid Java Broker] Providing external encryptor for
>> configuration
>>
>> Obviously the encrypter will have to be in the broker's classpath. If you
>> use the qpid-server shell script, then it sets the environment variable
>> QPID_CLASSPATH like so:
>>
>> QPID_LIBS="${QPID_HOME}/lib/*:${QPID_HOME}/lib/plugins/*:${
>> QPID_HOME}/lib/opt/*"
>>
>> QPID_CLASSPATH="${QPID_LIBS}"
>>
>> This is then used by qpid-run script to set the classpath for the broker.
>> So if you have not otherwise changed the script it looks like any of lib/ ,
>> lib/plugins or lib/opt/ would do.
>>
>> -- Rob
>>
>> On 13 December 2016 at 12:12, Adel Boutros <Ad...@live.com> wrote:
>>
>>> Hello,
>>>
>>> In the Java Broker book, it is mentioned here [1] that the user can
>>> provide an external configuration encryptor by implementing
>>> ConfigurationSecretEncrypter.
>>>
>>> However, I couldn't find in the book where it describes the process. For
>>> example, where should I place my implementation? (under lib folder of the
>>> broker or somewhere else?)
>>>
>>> [1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-
>>> broker/book/Java-Broker-Security-Configuration-Encryption.html
>>>
>>> Regards,
>>> Adel
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>>> For additional commands, e-mail: users-help@qpid.apache.org
>>>
>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: [Qpid Java Broker] Providing external encryptor for configuration
Posted by Lorenz Quack <qu...@gmail.com>.
Hello Adel,
you would set this like any other attribute. something like this:
curl -u username localhost:8080/api/v6.1/broker -X POST -d
'{"confidentialConfigurationEncryptionProvider":"AESKeyFile"}'
However, we only allow valid values to be set. The error message from
that curl command will tell you which the broker believes to be valid
values. judging from what you wrote I guess that list will be empty
since the web management console uses the
localhost:8080/service/metadata which also uses the valid values.
In the code the valid values for the encryptors are calculated here:
org.apache.qpid.server.model.AbstractContainer#getAvailableConfigurationEncrypters
which is referenced from the @ManagedAttribute annotation on
org.apache.qpid.server.model.Broker#getConfidentialConfigurationEncryptionProvider
I believe those annotations are resolved in the onResolve stage of
broker start up.
I think it should find your Encryptor if it is on the class path. Not
entirely sure what else could be going wrong.
Could you check what curl -u username localhost:8080/service/metadata
returns under
Broker -> Broker -> attributes ->
confidentialConfigurationEncryptionProvider -> validValues
Kind regards,
Lorenz
On 15/12/16 15:29, Adel Boutros wrote:
> Hello,
>
>
> I don't understand how I activate the encryptor in the broker attributes using the Management API as referenced here [1].
>
> When I open the web console and edit the broker attribute, the only value for "config encryption" is non.
>
>
> Did I miss something? Can you please assist?
>
>
> [1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-broker/book/Java-Broker-Management-Managing-Broker.html
>
>
> Regards,
>
> Adel
>
> ________________________________
> From: Adel Boutros
> Sent: Tuesday, December 13, 2016 6:49:10 PM
> To: users@qpid.apache.org
> Subject: Re: [Qpid Java Broker] Providing external encryptor for configuration
>
>
> Thanks Rob again!
>
>
> We had understood that by reading the code itself.
>
>
> Don't you thinking it would be a good idea adding this explanation to the Book?
>
>
> Regards,
>
> Adel
>
> ________________________________
> From: Rob Godfrey <ro...@gmail.com>
> Sent: Tuesday, December 13, 2016 5:43:17 PM
> To: users@qpid.apache.org
> Subject: Re: [Qpid Java Broker] Providing external encryptor for configuration
>
> In order to be found, a configuration secret encrypter implementation
> requires an implementation of ConfigurationSecretEncrypterFactory which
> needs to be in the META-INF/services file for the jar in which your
> implementation provides the service (the Qpid codebase uses an annotation
> @Pluggable and an annotation proessor to generate the META-INF/sevices
> stuff automatically)
>
> -- Rob
>
> On 13 December 2016 at 16:33, Adel Boutros <Ad...@live.com> wrote:
>
>> Thanks Rob!
>>
>>
>> Are there any requirements at the level of the packaging of classes for
>> example under META-INF/services as Java service loader does?
>>
>>
>> Regards,
>>
>> Adel
>>
>> ________________________________
>> From: Rob Godfrey <ro...@gmail.com>
>> Sent: Tuesday, December 13, 2016 3:24:17 PM
>> To: users@qpid.apache.org
>> Subject: Re: [Qpid Java Broker] Providing external encryptor for
>> configuration
>>
>> Obviously the encrypter will have to be in the broker's classpath. If you
>> use the qpid-server shell script, then it sets the environment variable
>> QPID_CLASSPATH like so:
>>
>> QPID_LIBS="${QPID_HOME}/lib/*:${QPID_HOME}/lib/plugins/*:${
>> QPID_HOME}/lib/opt/*"
>>
>> QPID_CLASSPATH="${QPID_LIBS}"
>>
>> This is then used by qpid-run script to set the classpath for the broker.
>> So if you have not otherwise changed the script it looks like any of lib/ ,
>> lib/plugins or lib/opt/ would do.
>>
>> -- Rob
>>
>> On 13 December 2016 at 12:12, Adel Boutros <Ad...@live.com> wrote:
>>
>>> Hello,
>>>
>>> In the Java Broker book, it is mentioned here [1] that the user can
>>> provide an external configuration encryptor by implementing
>>> ConfigurationSecretEncrypter.
>>>
>>> However, I couldn't find in the book where it describes the process. For
>>> example, where should I place my implementation? (under lib folder of the
>>> broker or somewhere else?)
>>>
>>> [1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-
>>> broker/book/Java-Broker-Security-Configuration-Encryption.html
>>>
>>> Regards,
>>> Adel
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>>> For additional commands, e-mail: users-help@qpid.apache.org
>>>
>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: [Qpid Java Broker] Providing external encryptor for configuration
Posted by Adel Boutros <Ad...@live.com>.
Hello,
I don't understand how I activate the encryptor in the broker attributes using the Management API as referenced here [1].
When I open the web console and edit the broker attribute, the only value for "config encryption" is non.
Did I miss something? Can you please assist?
[1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-broker/book/Java-Broker-Management-Managing-Broker.html
Regards,
Adel
________________________________
From: Adel Boutros
Sent: Tuesday, December 13, 2016 6:49:10 PM
To: users@qpid.apache.org
Subject: Re: [Qpid Java Broker] Providing external encryptor for configuration
Thanks Rob again!
We had understood that by reading the code itself.
Don't you thinking it would be a good idea adding this explanation to the Book?
Regards,
Adel
________________________________
From: Rob Godfrey <ro...@gmail.com>
Sent: Tuesday, December 13, 2016 5:43:17 PM
To: users@qpid.apache.org
Subject: Re: [Qpid Java Broker] Providing external encryptor for configuration
In order to be found, a configuration secret encrypter implementation
requires an implementation of ConfigurationSecretEncrypterFactory which
needs to be in the META-INF/services file for the jar in which your
implementation provides the service (the Qpid codebase uses an annotation
@Pluggable and an annotation proessor to generate the META-INF/sevices
stuff automatically)
-- Rob
On 13 December 2016 at 16:33, Adel Boutros <Ad...@live.com> wrote:
> Thanks Rob!
>
>
> Are there any requirements at the level of the packaging of classes for
> example under META-INF/services as Java service loader does?
>
>
> Regards,
>
> Adel
>
> ________________________________
> From: Rob Godfrey <ro...@gmail.com>
> Sent: Tuesday, December 13, 2016 3:24:17 PM
> To: users@qpid.apache.org
> Subject: Re: [Qpid Java Broker] Providing external encryptor for
> configuration
>
> Obviously the encrypter will have to be in the broker's classpath. If you
> use the qpid-server shell script, then it sets the environment variable
> QPID_CLASSPATH like so:
>
> QPID_LIBS="${QPID_HOME}/lib/*:${QPID_HOME}/lib/plugins/*:${
> QPID_HOME}/lib/opt/*"
>
> QPID_CLASSPATH="${QPID_LIBS}"
>
> This is then used by qpid-run script to set the classpath for the broker.
> So if you have not otherwise changed the script it looks like any of lib/ ,
> lib/plugins or lib/opt/ would do.
>
> -- Rob
>
> On 13 December 2016 at 12:12, Adel Boutros <Ad...@live.com> wrote:
>
> > Hello,
> >
> > In the Java Broker book, it is mentioned here [1] that the user can
> > provide an external configuration encryptor by implementing
> > ConfigurationSecretEncrypter.
> >
> > However, I couldn't find in the book where it describes the process. For
> > example, where should I place my implementation? (under lib folder of the
> > broker or somewhere else?)
> >
> > [1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-
> > broker/book/Java-Broker-Security-Configuration-Encryption.html
> >
> > Regards,
> > Adel
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
> >
>
Re: [Qpid Java Broker] Providing external encryptor for configuration
Posted by Adel Boutros <Ad...@live.com>.
Thanks Rob again!
We had understood that by reading the code itself.
Don't you thinking it would be a good idea adding this explanation to the Book?
Regards,
Adel
________________________________
From: Rob Godfrey <ro...@gmail.com>
Sent: Tuesday, December 13, 2016 5:43:17 PM
To: users@qpid.apache.org
Subject: Re: [Qpid Java Broker] Providing external encryptor for configuration
In order to be found, a configuration secret encrypter implementation
requires an implementation of ConfigurationSecretEncrypterFactory which
needs to be in the META-INF/services file for the jar in which your
implementation provides the service (the Qpid codebase uses an annotation
@Pluggable and an annotation proessor to generate the META-INF/sevices
stuff automatically)
-- Rob
On 13 December 2016 at 16:33, Adel Boutros <Ad...@live.com> wrote:
> Thanks Rob!
>
>
> Are there any requirements at the level of the packaging of classes for
> example under META-INF/services as Java service loader does?
>
>
> Regards,
>
> Adel
>
> ________________________________
> From: Rob Godfrey <ro...@gmail.com>
> Sent: Tuesday, December 13, 2016 3:24:17 PM
> To: users@qpid.apache.org
> Subject: Re: [Qpid Java Broker] Providing external encryptor for
> configuration
>
> Obviously the encrypter will have to be in the broker's classpath. If you
> use the qpid-server shell script, then it sets the environment variable
> QPID_CLASSPATH like so:
>
> QPID_LIBS="${QPID_HOME}/lib/*:${QPID_HOME}/lib/plugins/*:${
> QPID_HOME}/lib/opt/*"
>
> QPID_CLASSPATH="${QPID_LIBS}"
>
> This is then used by qpid-run script to set the classpath for the broker.
> So if you have not otherwise changed the script it looks like any of lib/ ,
> lib/plugins or lib/opt/ would do.
>
> -- Rob
>
> On 13 December 2016 at 12:12, Adel Boutros <Ad...@live.com> wrote:
>
> > Hello,
> >
> > In the Java Broker book, it is mentioned here [1] that the user can
> > provide an external configuration encryptor by implementing
> > ConfigurationSecretEncrypter.
> >
> > However, I couldn't find in the book where it describes the process. For
> > example, where should I place my implementation? (under lib folder of the
> > broker or somewhere else?)
> >
> > [1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-
> > broker/book/Java-Broker-Security-Configuration-Encryption.html
> >
> > Regards,
> > Adel
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
> >
>
Re: [Qpid Java Broker] Providing external encryptor for configuration
Posted by Rob Godfrey <ro...@gmail.com>.
In order to be found, a configuration secret encrypter implementation
requires an implementation of ConfigurationSecretEncrypterFactory which
needs to be in the META-INF/services file for the jar in which your
implementation provides the service (the Qpid codebase uses an annotation
@Pluggable and an annotation proessor to generate the META-INF/sevices
stuff automatically)
-- Rob
On 13 December 2016 at 16:33, Adel Boutros <Ad...@live.com> wrote:
> Thanks Rob!
>
>
> Are there any requirements at the level of the packaging of classes for
> example under META-INF/services as Java service loader does?
>
>
> Regards,
>
> Adel
>
> ________________________________
> From: Rob Godfrey <ro...@gmail.com>
> Sent: Tuesday, December 13, 2016 3:24:17 PM
> To: users@qpid.apache.org
> Subject: Re: [Qpid Java Broker] Providing external encryptor for
> configuration
>
> Obviously the encrypter will have to be in the broker's classpath. If you
> use the qpid-server shell script, then it sets the environment variable
> QPID_CLASSPATH like so:
>
> QPID_LIBS="${QPID_HOME}/lib/*:${QPID_HOME}/lib/plugins/*:${
> QPID_HOME}/lib/opt/*"
>
> QPID_CLASSPATH="${QPID_LIBS}"
>
> This is then used by qpid-run script to set the classpath for the broker.
> So if you have not otherwise changed the script it looks like any of lib/ ,
> lib/plugins or lib/opt/ would do.
>
> -- Rob
>
> On 13 December 2016 at 12:12, Adel Boutros <Ad...@live.com> wrote:
>
> > Hello,
> >
> > In the Java Broker book, it is mentioned here [1] that the user can
> > provide an external configuration encryptor by implementing
> > ConfigurationSecretEncrypter.
> >
> > However, I couldn't find in the book where it describes the process. For
> > example, where should I place my implementation? (under lib folder of the
> > broker or somewhere else?)
> >
> > [1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-
> > broker/book/Java-Broker-Security-Configuration-Encryption.html
> >
> > Regards,
> > Adel
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
> >
>
Re: [Qpid Java Broker] Providing external encryptor for configuration
Posted by Adel Boutros <Ad...@live.com>.
Thanks Rob!
Are there any requirements at the level of the packaging of classes for example under META-INF/services as Java service loader does?
Regards,
Adel
________________________________
From: Rob Godfrey <ro...@gmail.com>
Sent: Tuesday, December 13, 2016 3:24:17 PM
To: users@qpid.apache.org
Subject: Re: [Qpid Java Broker] Providing external encryptor for configuration
Obviously the encrypter will have to be in the broker's classpath. If you
use the qpid-server shell script, then it sets the environment variable
QPID_CLASSPATH like so:
QPID_LIBS="${QPID_HOME}/lib/*:${QPID_HOME}/lib/plugins/*:${QPID_HOME}/lib/opt/*"
QPID_CLASSPATH="${QPID_LIBS}"
This is then used by qpid-run script to set the classpath for the broker.
So if you have not otherwise changed the script it looks like any of lib/ ,
lib/plugins or lib/opt/ would do.
-- Rob
On 13 December 2016 at 12:12, Adel Boutros <Ad...@live.com> wrote:
> Hello,
>
> In the Java Broker book, it is mentioned here [1] that the user can
> provide an external configuration encryptor by implementing
> ConfigurationSecretEncrypter.
>
> However, I couldn't find in the book where it describes the process. For
> example, where should I place my implementation? (under lib folder of the
> broker or somewhere else?)
>
> [1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-
> broker/book/Java-Broker-Security-Configuration-Encryption.html
>
> Regards,
> Adel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
Re: [Qpid Java Broker] Providing external encryptor for configuration
Posted by Rob Godfrey <ro...@gmail.com>.
Obviously the encrypter will have to be in the broker's classpath. If you
use the qpid-server shell script, then it sets the environment variable
QPID_CLASSPATH like so:
QPID_LIBS="${QPID_HOME}/lib/*:${QPID_HOME}/lib/plugins/*:${QPID_HOME}/lib/opt/*"
QPID_CLASSPATH="${QPID_LIBS}"
This is then used by qpid-run script to set the classpath for the broker.
So if you have not otherwise changed the script it looks like any of lib/ ,
lib/plugins or lib/opt/ would do.
-- Rob
On 13 December 2016 at 12:12, Adel Boutros <Ad...@live.com> wrote:
> Hello,
>
> In the Java Broker book, it is mentioned here [1] that the user can
> provide an external configuration encryptor by implementing
> ConfigurationSecretEncrypter.
>
> However, I couldn't find in the book where it describes the process. For
> example, where should I place my implementation? (under lib folder of the
> broker or somewhere else?)
>
> [1]: https://qpid.apache.org/releases/qpid-java-6.0.4/java-
> broker/book/Java-Broker-Security-Configuration-Encryption.html
>
> Regards,
> Adel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>