Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED
Best secure way way to store credentials in AEM
Hi All,
I want to save some credentials(assessKey/SecretId) for some third-party authentication, But not want to save in code or config files as it will be visible to all developers.
I saw one blog where the credentials get store as java System properties variables in start.bat script file like below
and try to assess it in code using BundleContext.getProperty("aws.accessKeyId").
I want to know
1. Is it good way to store the credentials.
2. I tried the same but not able to retrieve using below code. Demo is my SlingModel class. it returns null only
FrameworkUtil.getBundle(Demo.class).getBundleContext().getProperty("aws.accessKey");
1 Accepted Solution
Correct answer by
Hi @maddy_23
Here is a way to store sensitive data store into the system using Crypto Support.
Process 1:
From “http://localhost:4502/system/console/crypto” we can write plain text and by clicking “protect” we will get a protected text.
NB: According to documentation, after 6.3 this value “plain text” & “protected text” will store in "/crx-quickstart/launchpad/felix/bundle<Id>/data" in the file system. To find the id we have to look for the bundle id of this "/system/console/bundles/com.adobe.granite.crypto.file"
We can use this protected text in the appConfigurationService file.
When we call for that we will get the plain text.
Process 2:
-> We have CryptoSupport interface from “com.adobe.granite.crypto.CryptoSupport”
-> We can get protected text by “protectedText = cryptoSupport.protect(plainText)”
-> We can set that “protectedText” into config file
-> When we call for any value we have to unprotect that value to get the plain text. We can do this by “plainText = cryptoSupport.unprotect(protectedText)”
NB: Tested it with a servlet with some request parameters. We can maintain a separate file for the plain texts and only store the protected texts in configuration files.
Every time CryptoSupport will generate a unique protected text.
Not sure about the very best way, but I would create an OSGI service with required fields to save the configuration.
You may use "passwordValue" as the property annotation parameter to obscure the password from plain sight.
@Property(label="password", description="user password", passwordValue=DEFAULT_PASSWORD ) public static final String PASSWORD = "xxx.password";
Putting it all together:
1) Create an OSGI service with required text and password fields.
2) Get instance of this OSGI service in Sling Model/Servlet/Another Service.
3) Don't create a config.xml file under runmodes for this OSGI service.
4) You have to configure this service in each Author/Publish instance.
Note: This approach may not work in AEM as CS.
Hello @maddy_23
For On-premise, AEM provides feature that allows OSGi configuration properties to be stored in a protected encrypted form instead of clear text.
On-AaaCS, please use the "Secret Environment Variable". It can be set via Cloud manager
Aanchal Sikka
Correct answer by
Hi @maddy_23
Here is a way to store sensitive data store into the system using Crypto Support.
Process 1:
From “http://localhost:4502/system/console/crypto” we can write plain text and by clicking “protect” we will get a protected text.
NB: According to documentation, after 6.3 this value “plain text” & “protected text” will store in "/crx-quickstart/launchpad/felix/bundle<Id>/data" in the file system. To find the id we have to look for the bundle id of this "/system/console/bundles/com.adobe.granite.crypto.file"
We can use this protected text in the appConfigurationService file.
When we call for that we will get the plain text.
Process 2:
-> We have CryptoSupport interface from “com.adobe.granite.crypto.CryptoSupport”
-> We can get protected text by “protectedText = cryptoSupport.protect(plainText)”
-> We can set that “protectedText” into config file
-> When we call for any value we have to unprotect that value to get the plain text. We can do this by “plainText = cryptoSupport.unprotect(protectedText)”
NB: Tested it with a servlet with some request parameters. We can maintain a separate file for the plain texts and only store the protected texts in configuration files.
Every time CryptoSupport will generate a unique protected text.
Related Conversations
