{"id":34841,"date":"2024-09-25T17:19:26","date_gmt":"2024-09-25T15:19:26","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=34841"},"modified":"2024-09-25T17:19:29","modified_gmt":"2024-09-25T15:19:29","slug":"jboss-eap-credential-store-vs-password-vault","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/","title":{"rendered":"JBoss EAP &#8211; Credential Store vs Password Vault"},"content":{"rendered":"\n<p>JBoss EAP configuration files are accessible and not encrypted (xml files), moreover, some sensitive strings could\/should be store there&#8230; For obvious security reasons, JBoss EAP allows the encryption of the sensitive strings outside the configurations files.<\/p>\n\n\n\n<!--more-->\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"633\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-1024x633.png\" alt=\"\" class=\"wp-image-34845\" srcset=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-1024x633.png 1024w, https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-300x185.png 300w, https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-768x475.png 768w, https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-1536x949.png 1536w, https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ.png 2000w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The sensitive strings can be stored in a keystore, and subsequently decrypted for applications and systems. There is two ways to encrypt sensitive strings outside JBoss EAP configuration files:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Credential Store<\/li>\n\n\n\n<li>Password Vault<\/li>\n<\/ul>\n\n\n\n<p>Please note that even with credential store or password vault, it is recommended to limit the access of configuration files (EAP_HOME\/standalone\/configuration or EAP_HOME\/domain\/configuration) to few users.<\/p>\n\n\n\n<p>Let&#8217;s understand each one first.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-credential-store\">Credential Store<\/h2>\n\n\n\n<p>The Credential Store has been introduced in <a href=\"https:\/\/docs.redhat.com\/en\/documentation\/red_hat_jboss_enterprise_application_platform\/7.1\/\" target=\"_blank\" rel=\"noreferrer noopener\">JBoss EAP 7.1<\/a> with the elytron subsystem, it can safely secure sensitive and plan text strings by encryption them in a storage file. Each JBoss EAP server can contain multiple credential stores.<\/p>\n\n\n\n<p>The default credential store implementation uses a JCEKS keystore file to store credentials. When creating a new credential store, the default implementation also allows you to reference an existing keystore file or have JBoss EAP automatically create one for you. <\/p>\n\n\n\n<p>Please note that elytron subsystem doesn&#8217;t provide any checks for using the same file storage to multiple credential stores, but it is strongly recommended not to use the same file for multiple credential stores.<\/p>\n\n\n\n<p>I will share with you in a next blog how to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a Credential Store in Standalone and domain mode<\/li>\n\n\n\n<li>Add a Credential to the Credential Store<\/li>\n\n\n\n<li>Use the stored Credential in the configuration<\/li>\n\n\n\n<li>List the Credentials in the Credentials store<\/li>\n\n\n\n<li>Remove a Credential from a Credential Store<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-password-vault\">Password Vault<\/h2>\n\n\n\n<p>The Password Vault uses the Java Keystore as its storage mechanism. Password vault consists of two parts: storage and key storage. Java keystore is used to store the key, which is used to encrypt or decrypt sensitive strings in Vault storage.<\/p>\n\n\n\n<p>I already explained what is the Password vault and how to use it with example in this <a href=\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-7-use-vault-to-protect-your-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener\">blog<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-credential-store-vs-password-vault\">Credential Store vs Password Vault<\/h2>\n\n\n\n<p>Well, if you are reading this blog this means that you have probably not yet secured your sensitive strings \ud83d\ude00<\/p>\n\n\n\n<p> Please note that both methods are supported by Red Hat, however, using a Credential Store is preferred to using a Password Vault, because of the following reasons:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Credential Store allow for easier credential management with the JBoss EAP management CLI, while you need to use an external tool with Password Vault (see <a href=\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-7-use-vault-to-protect-your-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener\">blog<\/a>)<\/li>\n\n\n\n<li>Using multiple Credential Stores is allowed, while you are limited to only one Password Vault per JBoss EAP server.<\/li>\n<\/ul>\n\n\n\n<p>So, if you are about to secure your sensitive string, no doubt go with Credential Store. Otherwise, if you are already using Password Vault you have the choice to keep it or migrate your sensitive strings to Credential Store.<\/p>\n\n\n\n<p>I hope that this blog helped you to understand the difference between both, you can now make your choice.<\/p>\n\n\n\n<p>As promised, I will share more details about the Credential Store configuration, so stay connected \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>JBoss EAP configuration files are accessible and not encrypted (xml files), moreover, some sensitive strings could\/should be store there&#8230; For obvious security reasons, JBoss EAP allows the encryption of the sensitive strings outside the configurations files.<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197],"tags":[119,3418],"type_dbi":[],"class_list":["post-34841","post","type-post","status-publish","format-standard","hentry","category-application-integration-middleware","tag-jboss-eap","tag-vault"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>JBoss EAP - Credential Store vs Password Vault - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"JBoss EAP - Credential Store vs Password Vault\" \/>\n<meta property=\"og:description\" content=\"JBoss EAP configuration files are accessible and not encrypted (xml files), moreover, some sensitive strings could\/should be store there&#8230; For obvious security reasons, JBoss EAP allows the encryption of the sensitive strings outside the configurations files.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-25T15:19:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-25T15:19:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-1024x633.png\" \/>\n<meta name=\"author\" content=\"David Diab\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Diab\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/\"},\"author\":{\"name\":\"David Diab\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/deb907c3360cacdc6c7df54b4bac3c86\"},\"headline\":\"JBoss EAP &#8211; Credential Store vs Password Vault\",\"datePublished\":\"2024-09-25T15:19:26+00:00\",\"dateModified\":\"2024-09-25T15:19:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/\"},\"wordCount\":510,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-1024x633.png\",\"keywords\":[\"JBoss EAP\",\"vault\"],\"articleSection\":[\"Application integration &amp; Middleware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/\",\"name\":\"JBoss EAP - Credential Store vs Password Vault - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-1024x633.png\",\"datePublished\":\"2024-09-25T15:19:26+00:00\",\"dateModified\":\"2024-09-25T15:19:29+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/deb907c3360cacdc6c7df54b4bac3c86\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ.png\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ.png\",\"width\":2000,\"height\":1236},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"JBoss EAP &#8211; Credential Store vs Password Vault\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/deb907c3360cacdc6c7df54b4bac3c86\",\"name\":\"David Diab\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/212b1b2e4650bad3116f644ab4fb4663786d94195d7685d0704c8426da088e60?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/212b1b2e4650bad3116f644ab4fb4663786d94195d7685d0704c8426da088e60?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/212b1b2e4650bad3116f644ab4fb4663786d94195d7685d0704c8426da088e60?s=96&d=mm&r=g\",\"caption\":\"David Diab\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/david-diab\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"JBoss EAP - Credential Store vs Password Vault - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/","og_locale":"en_US","og_type":"article","og_title":"JBoss EAP - Credential Store vs Password Vault","og_description":"JBoss EAP configuration files are accessible and not encrypted (xml files), moreover, some sensitive strings could\/should be store there&#8230; For obvious security reasons, JBoss EAP allows the encryption of the sensitive strings outside the configurations files.","og_url":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/","og_site_name":"dbi Blog","article_published_time":"2024-09-25T15:19:26+00:00","article_modified_time":"2024-09-25T15:19:29+00:00","og_image":[{"url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-1024x633.png","type":"","width":"","height":""}],"author":"David Diab","twitter_card":"summary_large_image","twitter_misc":{"Written by":"David Diab","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/"},"author":{"name":"David Diab","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/deb907c3360cacdc6c7df54b4bac3c86"},"headline":"JBoss EAP &#8211; Credential Store vs Password Vault","datePublished":"2024-09-25T15:19:26+00:00","dateModified":"2024-09-25T15:19:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/"},"wordCount":510,"commentCount":0,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-1024x633.png","keywords":["JBoss EAP","vault"],"articleSection":["Application integration &amp; Middleware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/","url":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/","name":"JBoss EAP - Credential Store vs Password Vault - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ-1024x633.png","datePublished":"2024-09-25T15:19:26+00:00","dateModified":"2024-09-25T15:19:29+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/deb907c3360cacdc6c7df54b4bac3c86"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ.png","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2024\/09\/1_g12X-h7ZqMW23ajVZP6eQQ.png","width":2000,"height":1236},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/jboss-eap-credential-store-vs-password-vault\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"JBoss EAP &#8211; Credential Store vs Password Vault"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/deb907c3360cacdc6c7df54b4bac3c86","name":"David Diab","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/212b1b2e4650bad3116f644ab4fb4663786d94195d7685d0704c8426da088e60?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/212b1b2e4650bad3116f644ab4fb4663786d94195d7685d0704c8426da088e60?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/212b1b2e4650bad3116f644ab4fb4663786d94195d7685d0704c8426da088e60?s=96&d=mm&r=g","caption":"David Diab"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/david-diab\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/34841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=34841"}],"version-history":[{"count":4,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/34841\/revisions"}],"predecessor-version":[{"id":34847,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/34841\/revisions\/34847"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=34841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=34841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=34841"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=34841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}