JBoss EAP configuration files are accessible and not encrypted (xml files), moreover, some sensitive strings could/should be store there… For obvious security reasons, JBoss EAP allows the encryption of the sensitive strings outside the configurations files.
The sensitive strings can be stored in a keystore, and subsequently decrypted for applications and systems. There is two ways to encrypt sensitive strings outside JBoss EAP configuration files:
- Credential Store
- Password Vault
Please note that even with credential store or password vault, it is recommended to limit the access of configuration files (EAP_HOME/standalone/configuration or EAP_HOME/domain/configuration) to few users.
Let’s understand each one first.
Credential Store
The Credential Store has been introduced in JBoss EAP 7.1 with the elytron subsystem, it can safely secure sensitive and plan text strings by encryption them in a storage file. Each JBoss EAP server can contain multiple credential stores.
The default credential store implementation uses a JCEKS keystore file to store credentials. When creating a new credential store, the default implementation also allows you to reference an existing keystore file or have JBoss EAP automatically create one for you.
Please note that elytron subsystem doesn’t provide any checks for using the same file storage to multiple credential stores, but it is strongly recommended not to use the same file for multiple credential stores.
I will share with you in a next blog how to:
- Create a Credential Store in Standalone and domain mode
- Add a Credential to the Credential Store
- Use the stored Credential in the configuration
- List the Credentials in the Credentials store
- Remove a Credential from a Credential Store
Password Vault
The Password Vault uses the Java Keystore as its storage mechanism. Password vault consists of two parts: storage and key storage. Java keystore is used to store the key, which is used to encrypt or decrypt sensitive strings in Vault storage.
I already explained what is the Password vault and how to use it with example in this blog.
Credential Store vs Password Vault
Well, if you are reading this blog this means that you have probably not yet secured your sensitive strings 😀
Please note that both methods are supported by Red Hat, however, using a Credential Store is preferred to using a Password Vault, because of the following reasons:
- Credential Store allow for easier credential management with the JBoss EAP management CLI, while you need to use an external tool with Password Vault (see blog)
- Using multiple Credential Stores is allowed, while you are limited to only one Password Vault per JBoss EAP server.
So, if you are about to secure your sensitive string, no doubt go with Credential Store. Otherwise, if you are already using Password Vault you have the choice to keep it or migrate your sensitive strings to Credential Store.
I hope that this blog helped you to understand the difference between both, you can now make your choice.
As promised, I will share more details about the Credential Store configuration, so stay connected 😉