This chapter discusses some of the best practices for a production deployment of the UltraESB.
Securing the configuration
The UltraESB configuration may usually contain sensitive security information such as passwords used for authentication or database access. When deploying in a production environment, it is possible to secure these values from being visible in configuration using the optional Jasypt library [http://www.jasypt.org/].
To store an encrypted password in the configuration, first use the encrypt.sh/bat scripts from the bin directory as follows, and save the encrypted output generated. It should be noted that the same input will result in different outputs on each execution run. See [http://www.jasypt.org/cli.html] for more information.
asankha@asankha:ultraesb-0.1/bin$ ./encrypt.sh input="password" password=jasypt verbose=false algorithm=PBEWithMD5AndDES
Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0
To use the encrypted password, please refer to the standard Jasypt documenation at [http://www.jasypt.org/encrypting-configuration.html] on how Jasypt works with a Spring configuration. For example, we could now place the above encrypted output in the conf/encrypted.properties file as follows.
secure_password=ENC(Rtk9+TzSec70ikJLwXlT9Y0tiwNCybE0)
Now, to specify that the SSL keystore password should be picked up from this string, we could configure the https transport as follows.
<bean id="https-8443" class="org.adroitlogic.ultraesb.transport.http.HttpsNIOListener">
....
<property name="identityStorePath" value="/home/asankha/java/synapse-1.2/lib/identity.jks"/>
<property name="identityKeyPassword" value="${secure_password}"/>
<property name="identityStorePassword" value="${secure_password}"/>
....
</bean>
To pickup the encryption password from an environment variable at startup, for increased security, please refer to the Jasypt documentation and the 'EnvironmentStringPBEConfig' class at the above URL.
| < Prev | Next > |
|---|
