Ad Code

Tuesday, September 15, 2020

How to Use Encrypted Password for OOTB Configurations

Hello Everyone, 

It’s been so long since I wrote something. So here is a new blog about some issues I faced
recently and what are my leanings from there.

1. Encrypted Password for OOTB Configurations: We always talk about making
passwords in an encrypted value as part of the code base to secure the password.
To tackle this issue, we always talk about CryptoSupport in AEM. So basically if there is a custom configuration and a need to use an encrypted password, I can use the concept of cryptosupport in AEM.

But there are few OSGi Configurations in AEM like “JDBC ODBC Connection Pool” or “Adobe Granite SAML 2.0 Authentication Handler” having password fields, So can we use cryptosupport concept here too??

So the answer is yes, you can keep encrypted value in the “password fields”  directly in these configurations and for the decryption part, you don’t need to worry. AEM will take care of it.To encrypt a password, go through the cryptosupport console in AEM.

Conclusion: We need to understand this very clearly that if we define a field as "Password type" either in OOTB or custom configurations, we don’t need to worry about decryption part, just configure the encrypted value in the field and AEM will understand that because it is a password field, it may need to decrypt it.
But if your field is a plain text, then you have to take care of the decryption part as mentioned in the previous post.
Fig1: For a password field, no need to write logic for decryption.

2. AEM SAML Configuration in the Code Repository Issue: Recently while working on a project, I configured AEM SAML integration on the author instance and it just works fine. Now this was the time to put the config in the code repository. So,

a) I put that config in the code repository (at /apps/<project-folder>/config.author.dev/com.adobe.granite.auth.saml.SamlAuthenticationHandler-myproject.xml

b) Deleted the manually created SAML configuration in Felix Console and performed a build and I was able to see the SAML config added by code.

c) I hit the Author URL and it doesn't take me to the IDP login page.
d) I go to felix, open SAML config, click Save (without touching anything else) and I hit Author URL again and now it takes me to the IDP login page.

Exactly the same issue I found on Adobe Community and the solution work for me.

Solution:
a) Name the file as: "com.adobe.granite.auth.saml.SamlAuthenticationHandler-<Project_Identifier>.config" (Make sure it is a regular file in Eclipse or IntelliJ); no need to add extension ".xml" at the end.
b) Inside this file, just add the configuration like a regular text. Please see below:
# Configuration created by Apache Sling JCR Installer
// Storing keyStorePassword as an encrypted manner.
keyStorePassword="{41bdcd34d9a34ae1c68bafa6b7b647443c429ad97e00a9f2cb5f876b2433}"
service.ranking=I"5002"
idpHttpRedirect=B"false"
createUser=B"true"
defaultRedirectUrl="/content/project/en/aem-assets.html"
userIDAttribute="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
assertionConsumerServiceURL=""
defaultGroups=["contributors"]
signatureMethod="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
idpCertAlias="certalias___xxxxxxxxxxxx"
addGroupMemberships=B"true"
path=["/content/projects"]
digestMethod="http://www.w3.org/2001/04/xmlenc#sha256"
synchronizeAttributes=""
clockTolerance=I"60"
groupMembershipAttribute="groupMembership"
idpUrl="IDP URL GOES HERE"
logoutUrl="logouturl"
serviceProviderEntityId="service_provider_entity_id"
handleLogout=B"true"
spPrivateKeyAlias=""
useEncryption=B"false"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

You can also copy the content of the file from CRXDE, after you manually save the OSGi config thru /system/console/configMgr.

Note: This solution really worked for me,but logically it didn’t make any sense to me as while working on another project on AEM 6.5.4, the xml file used to work for me. I face this issue only  in AEM 6.5.5 till now, So can’t really comment if this is an upgrade issue or something else.
So,If you face this issue in any of the AEM versions, you can directly try this solution.

I hope you find it a good read.Thanks and Happy Learning.

3 comments:

  1. There are so many AEM posts around but your posts always make sense, because you talk from your experiences. I really like your posts, Keep learning and sharing.

    ReplyDelete
  2. Hi,

    I am working on a similar SAML integration,did you manage to bring the idpCertAlias variable in code as well?

    Thanks
    The certalias gets generated when we upload idpcert in truststore, is it possible to store the cert in code and generate the alias and pass it to SAML osgi configuration?

    ReplyDelete
  3. Thanks a lot for this post.

    ReplyDelete