Description
I have briefly discussed the problem as I was running into on #84. During that time, I was missing the keystore in the client side but it does not solve my problem when I try to deploy Config Server into production.
Background
I am deploying the Config Server as a company wide shared configuration service (for production and non-production environment by using the profile annotation). Since all the production passwords are encrypted using the Config Server /encrypt endpoint, it is not OK to allow developers have direct access to the Config Server without authentication.
I was planning to use the basic HTTP authentication with the Config Server and its bootstrap.yml looks like the following:
encrypt:
failOnError: false
keyStore:
location: classpath:config-server.jks
alias: config-server
password: f7hkjd764jAl
and the configserver.yml looks like the following, where the password was encrypted using it's own /encrypt endpoint with the config-server.jks keystore:
security:
user:
name: foobar
password: "{cipher}AQAUtSkpM24ClZ81a/696J8Fdr2gkZUSsT2A4Zr4RBsRx4CNpWO+/f0Xs2Cazusjm3sRRABCgdkU6EZWWnrul/Up6DsgW5F3tzEgFMv51hZ4kw8hdkOXkZhohuOAIvMz6ZK4/d4kiDzRPxxWextAmvc+umCOfgRoFxFzi86wfvqO+WpAo41aOMRBC16kdycjs2zq8PG1FiZ631a11hNd0VB8N55kshXq0pTSoXLu3d7r2BwEogdhdrbeeuZ9Vfr1419aVJAxFmEIwni3pdn3Yj8bk/NbL0VQAXJPSlrbocNh1bWkSguX3g0pA44YqEIhwjQwsX3D10q1LIJrkcjEmKosydyuU3od46GDMMQDBaOETA7nKorCjFDR/ppi02TS59s="
On the client side, the bootstrap.yml looks like the following:
spring:
application:
itemName: my-service
cloud:
config:
uri: http://config.server.internal:8080
failFast: true
username: foobar
password: "{cipher}AQAUtSkpM24ClZ81a/696J8Fdr2gkZUSsT2A4Zr4RBsRx4CNpWO+/f0Xs2Cazusjm3sRRABCgdkU6EZWWnrul/Up6DsgW5F3tzEgFMv51hZ4kw8hdkOXkZhohuOAIvMz6ZK4/d4kiDzRPxxWextAmvc+umCOfgRoFxFzi86wfvqO+WpAo41aOMRBC16kdycjs2zq8PG1FiZ631a11hNd0VB8N55kshXq0pTSoXLu3d7r2BwEogdhdrbeeuZ9Vfr1419aVJAxFmEIwni3pdn3Yj8bk/NbL0VQAXJPSlrbocNh1bWkSguX3g0pA44YqEIhwjQwsX3D10q1LIJrkcjEmKosydyuU3od46GDMMQDBaOETA7nKorCjFDR/ppi02TS59s="
encrypt:
failOnError: false
keyStore:
location: classpath:config-server.jks
alias: config-server
password: f7hkjd764jAl
Now, my problem is: The developers have full access to the server side key-pair. In other words, the developers can decrypt the {cipher} password from the properties files by using the keystore. It is completely defeated the purpose of server side encryption.
Questions
- Is it possible using a different keypair for config server login credential?
- I may be still do it completely wrong up there. Any correction is helpful since the current document is very unclear on how to use encrypted password for http authentication.
Activity
spencergibb commentedon Feb 13, 2015
You can certainly use a different keypair for the config server login credential on the client side (not the server side). Putting the production config server password in bootstrap.yml checked into source control, is probably not the way to go about securing the config server. On the production server you could use an environment variable (SPRING_CLOUD_CONFIG_PASSWORD) or use a separate keypair (or encrypt.key) on the client side to encrypt/decrypt the password for config server clients.
iceycake commentedon Feb 13, 2015
I think I got it.
The client side needs to do the decryption on the password before sending over to the Config Server side. So I should be using a different set of keypair for the client side.
And yes, the client side password will be assigned onto the production server as env variable so nothing will check into the source control.