In the previous blogs, I explained the difference between Credential Store and Password Vault (Credential Store vs Password Vault), and I share how to secure your sensitive strings with Password Vault. Today, one more blog to give the whole view, how to use Credential Store in JBoss EAP!

What is the Credential Store?

Introduced with the elytron subsystem, credential stores allow for secure storage and usage of credentials. As all of the configuration files in (EAP_HOME/standalone/configuration/ and EAP_HOME/domain/configuration/) are world readable by default. It is strongly recommended to not store plaintext passwords in the configuration files, and instead place these credentials in the Credential Store.

Please note all following command are base on JBoss EAP in Standalone mode.

Create a Credential Store

The Credential Store is stored in a file, the place of your choice, you must define the path to this file at creation time. At creation time, you need also to provide the master password that will be used to encrypt the credential store.

/subsystem=elytron/credential-store=dbi_store:add(location="cred_stores/dbi_store.jceks", relative-to=jboss.server.data.dir, credential-reference={clear-text=secretpassword}, create=true)

This CLI command creates a new store named dbi_store, and creates the file jboss.server.data.dir/cred_stores/dbi_store.jceks.

This will implement a default Credential Store, there is a way to implement custom store by adding a module and create a provider loader. To keep this blog readable the custom Credential Store could be shared in a next blog.

Add a credential to Credential Store

Basically, the idea is to store credentials in the Credential Store, so how to add credentials?

The following CLI command adds a credential in a the credential store created before:

/subsystem=elytron/credential-store=dbi_store:add-alias(alias=database-pw, secret-value="my_speci@l_P1$$w0rd_DB")

the alias is the one to be referenced later!

Use the credential stored in the Credential Store

Once the credential is stored in the Credential Store, it is quite easy and secure to refer to it.

In fact, to refer to a sensitive string stored in a credential store, use the credential-reference attribute in the JBoss EAP Configuration, like the following:

credential-reference={store=STORE_NAME, alias=ALIAS}

Fore example, to create a datasource using the password I just added to the credential store dbi_store, I have to execute the following:

data-source add --name=dbi_DS --jndi-name=java:/dbi_DS --driver-name=h2 --connection-url=jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE --user-name=db_user --credential-reference={store=dbi_store, alias=database-pw}

So, instead of providing the password the credential-reference including the store name and alias is provided.
JBoss EAP configured this datasource as following:

/subsystem=datasources/data-source=dbi_DS:read-resource()
{
    "outcome" => "success",
    "result" => {
        ...
        "credential-reference" => {
            "store" => "dbi_store",
            "alias" => "database-pw"
        },
        ...
        "password" => undefined,
        ...
    }
}

Note that the password is undefined and the credential-reference attribute is defined instead.

List the credentials

At any time, you can list the aliases of all credentials contained in a credential store using the following CLI Command:

/subsystem=elytron/credential-store=dbi_store:read-aliases()
{
    "outcome" => "success",
    "result" => [
        "database-pw"
    ]
}

Remove a credential

Well you guess it, you can manage everything via CLI, as any other subsystem. That is why I prefer using Credential Store 🙂

So to remove a credential, execute the following command:

/subsystem=elytron/credential-store=dbi_store:remove-alias(alias=database-pw)

Conclusion

You know how to create Credential Store, store and use credentials in a secure way.

IMPORTANT

Please note that it is important to disabled the CLI history before executing commands with passwords. This avoid saving the command and so password in clear text in the CLI History!

history --disable

If you already executed with commands with passwords, it is not too late 😉 clear the history asap:

history --clear

Do you need any help? dbi services experts can help you to install and configure JBoss EAP according to Best Practices… Not only JBoss EAP, check the list of Application Servers here.