JBoss EAP simplifies a lot of server configuration by consolidating all subsystem configurations into a single XML file (standalone.xml or domain.xml). This, however, can expose sensitive information to any user that has access to the configuration files. For example, datasource credentials are by default stored in plain text in the XML file. In this blog I will show you how to protect your passwords!<\/p>\n\n\n\n\n\n\n\n
The vault encrypts sensitive strings, stores them in an encrypted keystore, and decrypts them for applications and verification systems. To avoid leaving sensitive credentials readable in the standalone.xml<\/em> or domain.xml<\/em> files, you can store passwords or other attributes in the vault and then reference the vault from within the server configuration file. <\/p>\n\n\n\n Using a vault creates a level of abstraction and obfuscates data which could otherwise be read by anyone who has access to the configuration files. Please note that the access to the configuration files should be anyway restricted.<\/p>\n\n\n\n The vault utilizes a keystore by using the certificate stored in the keystore as an encryption key for the vault as a whole. To initialize the vault, users need to first create the JavaSE keystore. The following is the syntax used to create a private key, a certificate and to store them in a keystore:<\/p>\n\n\n\n The below is an example:<\/p>\n\n\n\n After running the command, you will be prompted for a keystore password and a keystore file will be created at \/app\/jboss\/vault.keystore.<\/p>\n\n\n\n The vault can be initialized either interactively, by providing each parameter one at a time, or by providing all of the parameters initially.<\/p>\n\n\n\n The following is an example of the syntax used to initialize the vault:<\/p>\n\n\n\n The following parameters are required to initialize the vault:<\/p>\n\n\n\n The following is an example with the parameters populated:<\/p>\n\n\n\n After running the vault.sh command, an XML definition of the vault is displayed, which needs to be added to the server configuration files. The following is an example of the XML that needs to be added to either the standalone.xml<\/em> or host.xml <\/em>configuration file directly before the section:<\/p>\n\n\n\n The final step is to replace the sensitive data with a reference to the attribute in the vault. The vault.sh command provides the exact syntax necessary to reference the secured attribute after all of the parameters are provided. Using the previous example, the vault command generated the following:<\/p>\n\n\n\n In order to use this reference, use the following syntax within the server configuration:<\/p>\n\n\n\n The following can replace the previous password in the server configuration for the blog datasource password:<\/p>\n\n\n\n After replacing the password for the datasource, the server configuration for the datasource will look similar to the following:<\/p>\n\n\n\n In this blog we saw how to protect passwords or any sensitive data in configuration files. Don’t forget to restrict the access to your configuration files also!<\/p>\n\n\n\n Don’t hesitate to comment this blog, for any question or to share your experience with vault within JBoss EAP. <\/p>\n\n\n\n Some blogs around JBoss EAP:<\/p>\n\n\n\n JBoss EAP simplifies a lot of server configuration by consolidating all subsystem configurations into a single XML file (standalone.xml or domain.xml). This, however, can expose sensitive information to any user that has access to the configuration files. For example, datasource credentials are by default stored in plain text in the XML file. In this blog […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2748],"tags":[2610,119,2757,2564,1100],"type_dbi":[],"class_list":["post-27571","post","type-post","status-publish","format-standard","hentry","category-weblogic","tag-jboss-2","tag-jboss-eap","tag-jboss-eap-2","tag-security-3","tag-wildfly"],"acf":[],"yoast_head":"\nCreate a Java Keystore to store sensitive strings<\/h2>\n\n\n\n
keytool -genseckey -alias <alias> -keyalg <algorithm> -storetype <type> -keysize size -keystore <filepath><\/code><\/pre>\n\n\n\n\n
key.<\/li>\n\n\n\n[jboss@vmjboss jboss]# keytool -genseckey -alias vault -keyalg AES -storetype jceks -keysize 128 -keystore \/app\/jboss\/vault.keystore\nEnter keystore password: \nRe-enter new password: \nEnter key password for <vault>\n\t(RETURN if same as keystore password): \n\nWarning:\nThe JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore \/app\/jboss\/vault.keystore -destkeystore \/app\/jboss\/vault.keystore -deststoretype pkcs12\".\n[jboss@vmjboss jboss]# ls -rtl \/app\/jboss\/\ntotal 4\n-rw-r--r-- 1 jboss jboss 500 Sep 4 10:56 vault.keystore<\/code><\/pre>\n\n\n\nUsing the vault<\/h2>\n\n\n\n
vault.sh --keystore KEYSTORE_URL --keystore-password KEYSTORE_PASSWORD --alias KEYSTORE_ALIAS --vault-block VAULT_BLOCK --attribute ATTRIBUTE --sec-attr SEC-ATTR --enc-dir ENC_FILE_DIR --iteration ITERATION_COUNT --salt SALT<\/code><\/pre>\n\n\n\n\n
creation.<\/li>\n\n\n\n
name when storing a password value.<\/li>\n\n\n\n[jboss@vmjboss bin]# vault.sh --keystore \/app\/jboss\/vault.keystore --keystore-password password --alias vault --vault-block blog --attribute password --sec-attr blogpass --enc-dir \/app\/jboss\/ --iteration 50 --salt 12345678<\/code><\/pre>\n\n\n\n<vault>\n<vault-option name=\"KEYSTORE_URL\" value=\"\/app\/jboss\/vault.keystore\"\/>\n<vault-option name=\"KEYSTORE_PASSWORD\" value=\"MASK-31x\/z0Xn83H4JaL0h5eK\/N\"\/>\n<vault-option name=\"KEYSTORE_ALIAS\" value=\"vault\"\/>\n<vault-option name=\"SALT\" value=\"12345678\"\/>\n<vault-option name=\"ITERATION_COUNT\" value=\"50\"\/>\n<vault-option name=\"ENC_FILE_DIR\" value=\"\/app\/jboss\/\"\/>\n<\/vault><\/code><\/pre>\n\n\n\nVAULT::blog::password::1<\/code><\/pre>\n\n\n\n${VAULT::VAULT_BLOCK::ATTRIBUTE_NAME::1}<\/code><\/pre>\n\n\n\n${VAULT::blog::password::1}<\/code><\/pre>\n\n\n\n<datasource jndi-name=\"java:jboss\/datasources\/blogope\" ...>\n<connection-url>...<\/connection-url>\n<driver>mysql<\/driver>\n<security>\n<user-name>blogadmin<\/user-name>\n<password>${VAULT::blog::password::1}<\/strong><\/password>\n<\/security>\n<\/datasource><\/code><\/pre>\n\n\n\n\n