Adobe Experience Manager Sites & More

vsharm · 3/9/23

We have this configuration - Apache Felix Jetty Based Http Service and we need to make few updates to it.

Screen Shot 2023-03-09 at 4.48.30 PM.png
We think keeping this xml configuration in the codebase will be risky in terms of security point of view and System Admin or DevOps should manually control the entries in this configuration.

I am wondering what is the forum's recommendation and best practices about maintaining with some critical configurations in AEM?

Saravanan_Dharmaraj · 3/9/23

@vsharm Please check the below posts for the same

https://aemhq.com/posts/aem-encryption-101-how-to-encrypt-a-shared-secret/

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager-blogs/crypto-support-in-ae...

vivekanand-mishra · 3/9/23

@vsharm As long as you encrypt all your secrets, it's ok to store them in code base. As a general practise, all configurations are advised to be part of code base (Considering future state i.e AEM Cloud service). Avoid manual things as much as you can. Now that being said, you have two options to hide your secrets-

1. Use AEM's crypto support - [0]

2. Define these as a environment secret variables

Also, I recommend to use json configurations files instead of XML. Follow this article to embed secret environment variables in your configuration file- [2].

{
"connection.timeout": 1000,
"api-key": "$[secret:server-api-key]",
"url": "$[env:server-url]"
}

[0]- https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager-blogs/crypto-support-in-ae...

[1]- https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/implementing/using-...

[2]- https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/implementing/deploy...

vsharm · 3/10/23

Thank you @vivekanand-mishra for the input. We have decided to keep the config in the codebase as we might be moving to cloud soon.As of now we are going to update only one property org.apache.felix.http.jetty.responseBufferSize for which we dont need encryption.