How to encrypt Jasypt.encryptor.pasword property while using in Jhipster registry App's configuration file

Question

I am using JHipster registry APP and used local encryption by using Jasypt library to encrypt username and password from a centralized configuration for all micro-services.

While doing this I observed the moment I try to encrypt default username and password (admin/admin) ,encrypted as mentioned below in the central-config folder , I have configured gateway.yml( central configuration file for all micro-services common configurations)

spring:
  datasource:
    type: com.zaxxer.hikari.HikariDataSource
    url: jdbc:mysql://localhost:3306/gateway?useUnicode=true&characterEncoding=utf8&useSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC&createDatabaseIfNotExist=true
    **username: ENC(HLr1wJLGRZPuHVMUgEhiUQ==)
    password: ENC(HLr1wJLGRZPuHVMUgEhiUQ==)**
    hikari:
      poolName: Hikari
      auto-commit: false
      data-source-properties:
        cachePrepStmts: true
        prepStmtCacheSize: 250
        prepStmtCacheSqlLimit: 2048
        useServerPrepStmts: true

  jpa:
     database-platform: org.hibernate.dialect.MySQLInnoDBDialect
     database: MYSQL
     openInView: false
     show-sql: true
  liquibase:
      drop-first: true
      # Remove 'faker' if you do not want the sample data to be loaded automatically
      contexts: dev

eureka:
  instance:
    prefer-ip-address: true
  client:
    service-url:
      defaultZone: 
       # Jasypt Encryptor property================       
       http://**ENC(iNeA5NB8uu+MIXdPXBNzSw==):ENC(iNeA5NB8uu+MIXdPXBNzSw==)**@localhost:8761/eureka/

# ===========================================
# Jasypt Encryptor property
#============================================
jasypt:
  encryptor:
    password: jasyptkey

I have added needed dependency tot he registry app project too for Jasypt-maven spring boot starter config as shown below and it compiled and brings up registry also perfectly

 <dependency>
            <groupId>com.github.ulisesbocchio</groupId>
            <artifactId>jasypt-spring-boot-starter</artifactId>
            <version>2.0.0</version>
        </dependency>

The issue I am facing the discovery client/ cloud config server clients are not able to recognize the end-point URI.

I have shared the bootstrap.yml file from micro-service app( gateway) too for reference if anything missing there.

micro-service app bootstarp.yml file goes like this

spring:
  application:
    name: gateway
  profiles:
    active: dev
    include: composite
  cloud:
    config:
      fail-fast: false 
      uri: http://admin:${jhipster.registry.password}@localhost:8761/config/decrypt
      

      # name of the config server's property source (file.yml) that we want to use
      name: gateway
      profile: dev

Please suggest whant went wrong while configuring or any other alternative way to do this or it doesn't support Jasypt based encryption/decryption or something more needed to be configured?

Answer 1

I have figured out a solution for the issue. The only change I made is by passing Jasypt encryption library I tried using traditional JHipster registry app Cloud Config Server encryption/decryption strategy. For that similar thing I had to like using any Spring Cloud Config server Discovery along with eureka. So I while using my centralized configuration using native file system via central-config folder in JHipster-Registry app in boostrap.yml I have disabled the encrypt property of Spring Cloud config server at registry app end like this

spring:
  application:
    name: jhipster-registry
  profiles:
    active: dev
    include: composite
  cloud:
    config:
      server:

        #git:
         # uri: https://github.com/debjupiter18/central-config-server
          #skipSslValidation: true
        bootstrap: true
        **encrypt.enabled: false**

Enabled the same at my micro-service gateway app as mentioned below

jhipster:
  registry:
     password: '{cipher}a7b13e30356a50ed81275d9428a31543d7f59eb9e374f3063a94464e9f4a5863'

spring:
  application:
    name: gateway
  profiles:
    active: dev
    include: composite
    # The commented value for `active` can be replaced with valid Spring profiles to load.
    # Otherwise, it will be filled in by maven when building the JAR file
    # Either way, it can be overridden by `--spring.profiles.active` value passed in the commandline or `-Dspring.profiles.active` set in `JAVA_OPTS`
    #active: dev
  cloud:
    config:
      server.encrypt.enabled: true
      fail-fast: false # if not in "prod" profile, do not force to use Spring Cloud Config
      uri: http://admin:${jhipster.registry.password}@localhost:8761/config
      #http://admin:password@registry:8761/config/decrypt

      # name of the config server's property source (file.yml) that we want to use
      name: gateway
      profile: dev

In the gateway.yml file in the central-config folder has been modified two encryption property as below, as the objective was a prototype to check if able to discover Eureka client and connect to MYSQL Db with these changes in place.

spring:
  datasource:
    type: com.zaxxer.hikari.HikariDataSource
    url: jdbc:mysql://localhost:3306/gateway?useUnicode=true&characterEncoding=utf8&useSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC&createDatabaseIfNotExist=true&allowPublicKeyRetrieval=true
    username: root #{cipher}7f21f461454b9c0d99f2f81194257b9b0f77787cfab738b690f73c1ee84a73c4    #ENC(HLr1wJLGRZPuHVMUgEhiUQ==)
    password: '{cipher}7f21f461454b9c0d99f2f81194257b9b0f77787cfab738b690f73c1ee84a73c4' #root
    hikari:
      poolName: Hikari
      auto-commit: false
      data-source-properties:
        cachePrepStmts: true
        prepStmtCacheSize: 250
        prepStmtCacheSqlLimit: 2048
        useServerPrepStmts: true

  jpa:
     database-platform: org.hibernate.dialect.MySQLInnoDBDialect
     database: MYSQL
     openInView: false
     show-sql: true
  liquibase:
      drop-first: true
      # Remove 'faker' if you do not want the sample data to be loaded automatically
      contexts: dev #, faker
# Property to disable logging in GAE since we cannot write to GAE file system
  mail:
    host: localhost
    port: 25
    username:
    password:
  messages:
      cache-duration: PT1S # 1 second, see the ISO 8601 standard
  thymeleaf:
      cache: false
  sleuth:
      sampler:
        probability: 1 # report 100% of traces
  zipkin: # Use the "zipkin" Maven profile to have the Spring Cloud Zipkin dependencies
      base-url: http://localhost:9411
      enabled: false
      locator:
        discovery:
          enabled: true
  security:
      basic.enabled: true
      user.name : admin
      user.password : '{cipher}a7b13e30356a50ed81275d9428a31543d7f59eb9e374f3063a94464e9f4a5863'
eureka:
  instance:
    prefer-ip-address: true
  client:
    register-with-eureka: true
    fetch-registry: true
    service-url:
      defaultZone: http://${spring.security.user.name}:${spring.security.user.password}@localhost:8761/eureka/

Last but not the least used same property as mentioned below in both of the bootsrap.yml following the principle of enabling encryption mechanism at Config server end and to help decrypt the same property at server end also, this is due to JHipster registry acting both as Cloud Config server and Eureka registry as well.

encrypt:
  key: bXktc2VjcmV0LWtleS13aGljaC1zaG91bGQtYmUtY2hhbmdlZC1pbi1wcm9kdWN0aW9uLWFuZC1iZS1iYXNlNjQtZW5jb2RlZAo=
``` in both **bootstarp.yml** file to leverage the Spring cloud config server at JHipster-registry app side, to use the encryption at server side and decryption at client side .

I am able to run the centralized configuration with encryption and deryption, 
I stopped using Jasypt library for now. 
This is working for me, please let me know if any other suggestions or any downside of this solution, can discuss if anybody tried a different approach.