Configuration of JBoss EAP and associated applications requires potentially sensitive information, such as usernames and passwords. Instead of storing this sensitive information as plain text in configuration files, use the Password Vault feature to mask this information and store it in an encrypted keystore.
Instead of storing the password as plain text in configuration files, you can use the Password Vault feature to mask the password information and store it in an encrypted keystore. Once the password is stored, you can include references in Management CLI commands or your own applications. The Password Vault uses the Java Keystore as its storage mechanism. Password Vault consists of two parts: storage and key storage. Java Keystore is used to store the key, which is used to encrypt or decrypt sensitive strings in Vault storage.
JBoss documentation: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html/Security_Guide/chap-Secure_Passwords_and_Other_Sensitive_Strings_with_Password_Vault.html
JBoss provides a tool for creating and maintaining the secret vault. The tool is shipped together with the JBoss application server and can be found in the JBoss bin directory: <JBoss home>/bin/vault.sh
We should clearly understand, that the eventual level of security provided by JBoss vault is absolutely the same as in case of plain text passwords. First we will consider why (because it may be not obvious). Then we will see why in spite of this there are some benefits.
The base of the secret vault is a standard java kestore. So first we have to create a keystore that we will use later to initialize the secret vault.
Warning
You must generate the keystore using the keytool utility from the same vendor as the JDK you use to run JBoss as Java keystore implementations might differ.
The secret vault implementation in JBoss EAP 6.4 supports just the jceks key type and the 128 bit key length. If you use a different type or longer key, the secret vault initialization will fail. Lets create the new keystore inside JBoss home directory. The alias can be any string but you have to provide it for the secret vault management.
/usr/lib/jvm/jdk1.8.0_45/bin/keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass 123456 -keypass 123456 -validity 730 -keystore /home/jboss/runable/jboss/EAP-6.4.0/vault/vault.keystore
Once the keystore is created we can list the content of it with the keytool --list command. It is important to provide the type here, otherwise the keytool will be unable to read the keystore file.
$ /usr/lib/jvm/jdk1.8.0_45/bin/keytool --list -storetype jceks -keystore /home/adam/runable/jboss/EAP-6.4.0_second/vault/vault.keystore Enter keystore password: Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 1 entry vault, Oct 27, 2016, SecretKeyEntry, As we can see, the keystore contains only one entry with the alias we provided when we created the store.
We have to cd the jboss bin directory and run the vault.sh tool. This tool has an interactive command line and can be run non-interactively. If we start it without any parameter it will start in interactive mode, which is required for initializing the secret vault.
After starting the vault.sh tool, you have to press 0, for starting the console. Then you have to provide the following information:
$ cd /home/adam/runable/jboss/EAP-6.4.0_second/bin $ ./vault.sh ========================================================================= JBoss Vault JBOSS_HOME: /home/adam/runable/jboss/EAP-6.4.0_second JAVA: /usr/lib/jvm/jdk1.8.0_45//bin/java ========================================================================= ********************************** **** JBoss Vault *************** ********************************** Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit 0 Starting an interactive session Enter directory to store encrypted files:/home/adam/runable/jboss/EAP-6.4.0_second/vault/ Enter Keystore URL:/home/adam/runable/jboss/EAP-6.4.0_second/vault/vault.keystore Enter Keystore password: 123456 Enter Keystore password again: 123456 Values match Enter 8 character salt:12345678 Enter iteration count as a number (Eg: 44):44 Enter Keystore Alias:vault Initializing Vault Oct 27, 2016 3:21:11 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready Vault Configuration in configuration file: ******************************************** ... </extensions> <vault> <vault-option name="KEYSTORE_URL" value="/home/adam/runable/jboss/EAP-6.4.0_second/vault/vault.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-1l/Uou6siko"/> <vault-option name="KEYSTORE_ALIAS" value="vault"/> <vault-option name="SALT" value="12345678"/> <vault-option name="ITERATION_COUNT" value="44"/> <vault-option name="ENC_FILE_DIR" value="/home/adam/runable/jboss/EAP-6.4.0_second/vault/"/> </vault><management> ... ******************************************** Vault is initialized and ready for use Handshake with Vault complete
At the and, the console will print the required configuration section that we have to insert in the domain.xml.
Note
The keystore password is masked, but the password can be easily retrieved if we learn the method how it was created.
Open the domain.xml and insert the <vault>...</vault> section after the system properties but before the management section. If there are no system properties just insert it between the extension and the management section.
<server xmlns="urn:jboss:domain:1.7"> <extensions> ..... </extensions> <system-properties> .... </system-properties> <vault> .... </vault> <management> .....
Restart jboss. Now the secret vault is ready to use.
We will use the non interactive mode of the vault.sh tool to insert sensitive data into the secret vault. The following properties has to be provided:
In the following example we will insert "password12345" sensitive string into the secret vault. The name of the key is going to be "tibco_password". That is the key that will replace the original password in the config file.
$ ./vault.sh --keystore /home/adam/runable/jboss/EAP-6.4.0_second/vault/vault.keystore --keystore-password 123456 --alias vault --vault-block myprojectVaultBlock --attribute tibco_password --sec-attr password12345 --enc-dir /home/adam/runable/jboss/EAP-6.4.0_second/vault/ --iteration 44 --salt 12345678 ======================================https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html/Security_Guide/Store_and_Retrieve_Encrypted_Sensitive_Strings_in_the_Java_Keystore.html=================================== JBoss Vault JBOSS_HOME: /home/adam/runable/jboss/EAP-6.4.0_second JAVA: /usr/lib/jvm/jdk1.8.0_45//bin/java ========================================================================= Oct 28, 2016 1:30:30 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready Secured attribute value has been stored in vault. Please make note of the following: ******************************************** Vault Block:myprojectVaultBlock Attribute Name:tibco_password Configuration should be done as follows: VAULT::myprojectVaultBlock::tibco_password::1 ********************************************
The replacement string will be printed out on the screen: VAULT::myprojectVaultBlock::tibco_password::1
It contains three sections separated with "::". It starts with the VAULT keyword to tell to JBoss that this this key has to be resolved from the secret vault. The second part is the name of the vault-block, and the last part is the key itself.
Almost every subsystem supports the usage of secret vault. You just have to replace the original string with the new replacement string provided by the vault.sh tool surrounded by ${...}. According to the example above the configuration section of the tibco external-context would be the following:
<subsystem xmlns="urn:jboss:domain:naming:1.4"> <bindings> <external-context name="java:global/remoteTibcoContext/" module="org.jboss.genericjms.provider" class="javax.naming.InitialContext"> <environment> ..... <property name="java.naming.security.credentials" value="${VAULT::myprojectVaultBlock::tibco_password::1}"/> </environment> </external-context> </bindings> <remote-naming/> </subsystem>
In the java code the secret vault can be accesses with the help of the org.jboss.security.vault.SecurityVaultUtil class. It can be found in the jboss-security-spi.jar. We can get it with the following Maven dependency:
<dependency> <groupId>org.picketbox</groupId> <artifactId>jboss-security-spi</artifactId> <version>4.9.7.Final</version> </dependency>
In the java code the secret data can be resolved in the following way:
import org.jboss.security.vault.SecurityVaultUtil; .... String pwd = ""; try { pwd = SecurityVaultUtil.getValueAsString("VAULT::myprojectVaultBlock::tibco_password::1"); } catch (SecurityVaultException e) { }