Menu

Sunday, 11 April 2021

Encrypting Datasource Passwords using Vault in JBOSS EAP 6 / EAP 7 (standalone.xml)

Environment: Windows (O.S) & JBoss EAP 6.2 / 7

Note: Take backup of JBoss bin , configuration directives.

1. Create a Keystore.

"C:\Program Files\Java\jdk1.6.0_45\bin\keytool" -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore "E:\JBOSS Software\jboss-eap-6.2\bin\vault\vault.keystore"


2. Initialize the Password Vault.

"E:\JBOSS Software\jboss-eap-6.2\bin\vault.bat" --keystore "E:\JBOSS Software\jboss-eap-6.2\bin\vault\vault.keystore" --keystore-password vault22 --alias vault --vault-block vb --attribute dspassword --sec-attr Secret_Password --enc-dir "E:\JBOSS Software\jboss-eap-6.2\bin\vault" --iteration 120 --salt 1234abcd


Where, the following parameters will be needed:

o Keystore URL (--keystore) : The file system path or URI of the keystore file. The examples use EAP_HOME/vault/vault.keystore.

o Keystore password (--keystore-password) : The password used to access the keystore.

o Salt (--salt) : The salt value is a random string of eight characters used, together with the iteration count, to encrypt the content of the keystore.

o Keystore Alias (--alias) : The alias by which the keystore is known.

o Iteration Count (--iteration) : The number of times the encryption algorithm is run.

o Directory to store encrypted files (--enc-dir) : The path in which the encrypted files are to be stored. This is typically the directory containing the password vault. It is convenient but not mandatory to store all of your encrypted information in the same place as the key store. This directory should be only accessible to limited users. At a minimum the user account under which JBoss EAP 7 is running requires read-write access. The keystore should be located in the directory used for Step 1. Note that the trailing backslash or forward slash on the directory name is required. Ensure the correct file path separator is used: / (forward slash) for Red Hat Enterprise Linux and similar operating systems, \ (backslash) for Microsoft Windows Server.

o Vault Block (--vault-block) : The name to be given to this block in the password vault.

o Attribute (--attribute) : The name to be given to the attribute being stored.

o Security Attribute (--sec-attr) : The actual value that is being secured in the vault, in this case, the password.



3. Locate to standalone.xml file and add output results from command prompt.

Also need to add  parameters , in standalone.xml file

****************************************************************

        <extension module="org.jboss.as.pojo"/>

        <extension module="org.jboss.as.remoting"/>

        <extension module="org.jboss.as.sar"/>

        <extension module="org.jboss.as.weld"/>

    </extensions>


    <system-properties>

        <property name="org.apache.coyote.http11.Http11Protocol.SERVER" value="DONTKNOW"/>

        <property name="org.jboss.as.sendServerHeader" value="false"/>

        <property name="DATA_SOURCE" value="java:orads"/>

        <property name="DATE_FORMAT" value="dd/mm/yyyy"/>

        <property name="JNDI_XPLUS_EC" value="xplus_ec"/>

        <property name="JNDI_LOOKUPS" value="lookups"/>

        <property name="JNDI_ADMINISTRATION" value="administration"/>

        <property name="application.home.dir" value="E:/JBOSS Software/jboss-eap-6.2/standalone/deployments/calendar.ear"/>

        <property name="org.apache.tomcat.util.http.Parameters.MAX_COUNT" value="10000"/>

        <property name="org.apache.tomcat.util.http.Parameters.COMPRESSION" value="on"/>

        <property name="org.apache.tomcat.util.http.Parameters.COMPRESSION_MIME_TYPES" value="text/javascript,text/css,text/html,application/xml,application/json"/>

    </system-properties>


    <paths>

        <path name="application.home.dir" path="E:/JBOSS SOFTWARE/jboss-eap-6.2/standalone/deployments/calendar.ear"/>

    </paths>

                           <!--- below configuration is copied from Command line prompt --> 

    <vault>

        <vault-option name="KEYSTORE_URL" value="E:\JBOSS Software\jboss-eap-6.2\bin\vault\vault.keystore"/>

        <vault-option name="KEYSTORE_PASSWORD" value="MASK-5dOaAVafCSd"/>

        <vault-option name="KEYSTORE_ALIAS" value="vault"/>

        <vault-option name="SALT" value="1234abcd"/>

        <vault-option name="ITERATION_COUNT" value="120"/>

        <vault-option name="ENC_FILE_DIR" value="E:\JBOSS Software\jboss-eap-6.2\bin\vault\"/>

    </vault>


 <!--- format to store password in encrypted form, where VAULT::vb::dspassword::1 is password --> 

<username>Datasource_username</username>

<password>${VAULT::vb::dspassword::1}</password>

<!-- Remember highlighted brackets -->

****************************************************************


4. Restart the JBoss server JVM.



No comments:

Post a Comment