SOLVED
Best secure way way to store credentials in AEM
Hi All,
I want to save some credentials(assessKey/SecretId) for some third-party authentication, But not want to save in code or config files as it will be visible to all developers.
I saw one blog where the credentials get store as java System properties variables in start.bat script file like below
and try to assess it in code using BundleContext.getProperty("aws.accessKeyId").
I want to know
1. Is it good way to store the credentials.
2. I tried the same but not able to retrieve using below code. Demo is my SlingModel class. it returns null only
FrameworkUtil.getBundle(Demo.class).getBundleContext().getProperty("aws.accessKey");
1 Accepted Solution
Correct answer by
Hi @maddy_23
Here is a way to store sensitive data store into the system using Crypto Support.
Process 1:
From “http://localhost:4502/system/console/crypto” we can write plain text and by clicking “protect” we will get a protected text.
NB: According to documentation, after 6.3 this value “plain text” & “protected text” will store in "/crx-quickstart/launchpad/felix/bundle<Id>/data" in the file system. To find the id we have to look for the bundle id of this "/system/console/bundles/com.adobe.granite.crypto.file"
We can use this protected text in the appConfigurationService file.
When we call for that we will get the plain text.
Process 2:
-> We have CryptoSupport interface from “com.adobe.granite.crypto.CryptoSupport”
-> We can get protected text by “protectedText = cryptoSupport.protect(plainText)”
-> We can set that “protectedText” into config file
-> When we call for any value we have to unprotect that value to get the plain text. We can do this by “plainText = cryptoSupport.unprotect(protectedText)”
NB: Tested it with a servlet with some request parameters. We can maintain a separate file for the plain texts and only store the protected texts in configuration files.
Every time CryptoSupport will generate a unique protected text.
Not sure about the very best way, but I would create an OSGI service with required fields to save the configuration.
You may use "passwordValue" as the property annotation parameter to obscure the password from plain sight.
@Property(label="password", description="user password", passwordValue=DEFAULT_PASSWORD ) public static final String PASSWORD = "xxx.password";
Putting it all together:
1) Create an OSGI service with required text and password fields.
2) Get instance of this OSGI service in Sling Model/Servlet/Another Service.
3) Don't create a config.xml file under runmodes for this OSGI service.
4) You have to configure this service in each Author/Publish instance.
Note: This approach may not work in AEM as CS.
Hello @maddy_23
For On-premise, AEM provides feature that allows OSGi configuration properties to be stored in a protected encrypted form instead of clear text.
On-AaaCS, please use the "Secret Environment Variable". It can be set via Cloud manager
Aanchal Sikka
Correct answer by
Hi @maddy_23
Here is a way to store sensitive data store into the system using Crypto Support.
Process 1:
From “http://localhost:4502/system/console/crypto” we can write plain text and by clicking “protect” we will get a protected text.
NB: According to documentation, after 6.3 this value “plain text” & “protected text” will store in "/crx-quickstart/launchpad/felix/bundle<Id>/data" in the file system. To find the id we have to look for the bundle id of this "/system/console/bundles/com.adobe.granite.crypto.file"
We can use this protected text in the appConfigurationService file.
When we call for that we will get the plain text.
Process 2:
-> We have CryptoSupport interface from “com.adobe.granite.crypto.CryptoSupport”
-> We can get protected text by “protectedText = cryptoSupport.protect(plainText)”
-> We can set that “protectedText” into config file
-> When we call for any value we have to unprotect that value to get the plain text. We can do this by “plainText = cryptoSupport.unprotect(protectedText)”
NB: Tested it with a servlet with some request parameters. We can maintain a separate file for the plain texts and only store the protected texts in configuration files.
Every time CryptoSupport will generate a unique protected text.
