Red Hat JBoss Enterprise Application Platform Administration I

Bookmark this page
P12345678910111213
PreviousNext

Configuring the Password Vault

Objectives

  • Protect passwords stored in server configuration files by using the password vault.

Secure Storage for Credentials

Red Hat JBoss Enterprise Application Platform (JBoss EAP) simplifies the server configuration by consolidating all subsystems configuration into a single standalone.xml or domain.xml file. These files expose sensitive information to any user that has access to the configuration files. For example, the data source credentials are stored by default in plain text in the XML file.

In JBoss EAP there are two different mechanisms to securely store sensitive information:

  • The elytron security subsystem credential-store resource.

  • The legacy security subsystem vault.

Refer to the references section to learn more about elytron credential stores.

The Password Vault

The JBoss EAP vault encrypts sensitive strings, stores them in an encrypted keystore, and decrypts them for applications and verification systems. To avoid leaving sensitive credentials readable in the standalone.xml or domain.xml files, you can store passwords or other attributes in the vault, and then reference the vault from within the server configuration files. Using a vault creates a level of abstraction and obfuscates data which could otherwise be read by anyone who has access to the configuration files.

How to Use the JBoss EAP Password Vault

The process for storing a password into the vault is accomplished by using the following steps:

  1. Create a keystore.

  2. Initialize the JBoss EAP vault with the keystore.

  3. Store the sensitive information in the vault.

  4. Update the server configuration to include the vault information.

  5. Reference the stored attribute in the server configuration file.

    Create a Keystore to Encrypt Sensitive Strings

    The JBoss EAP vault utilizes a certificate stored in the keystore as an encryption key for the vault as a whole. To initialize the JBoss EAP vault, you must create the Java keystore. The following is the syntax used to create a private key, a certificate and to store them in a keystore:

    keytool -genseckey -alias <alias> \
-keyalg <algorithm> -storetype <type> -keysize size \
-keystore <filepath>

    • alias: The alias is a unique identifier for the vault or other data stored in the keystore.

    • keyalg: The algorithm to use for encryption.

    • storetype: The keystore type.

    • keysize: The size of the encryption key, which determines the difficulty in brute forcing the key.

    • keystore: The file path and file name in which the keystore's values are stored.

    [student@workstation ~]$ keytool -genseckey -alias vault \
-keyalg AES -storetype jceks -keysize 128 \
-keystore /home/student/vault.keystore

    After running the command, you are prompted for a keystore password. The command creates the keystore file at the /home/student/vault.keystore directory.

    Warning

    The Java keystore implementation can be different between JDK vendors. Java key stores generated by using a specific JDK could fail to load in a different JDK implementation. Always use the same JDK vendor for the keytool command.

    Initialize and store sensitive information in the JBoss EAP Vault

    JBoss EAP provides a vault tool located in the $JBOSS_HOME/bin/vault.sh script. This script enables you to initialize the vault and manage it.

    You can initialize the JBoss EAP vault interactively, by providing each parameter one at a time, or by providing all of the parameters initially.

    The following is an example of the syntax used to initialize the vault:

    vault.sh --keystore KEYSTORE_URL --keystore-password KEYSTORE_PASSWORD \
--alias KEYSTORE_ALIAS --vault-block VAULT_BLOCK --attribute ATTRIBUTE \
--sec-attr SEC-ATTR --enc-dir ENC_FILE_DIR --iteration ITERATION_COUNT \
--salt SALT

    The following parameters are required to initialize the vault:

    • KEYSTORE_URL: The path to the previously created keystore file.

    • KEYSTORE_PASSWORD: The password to access the keystore that was used at the keystore creation.

    • SALT: A random string of eight characters used to encrypt the attribute stored in the vault.

    • KEYSTORE_ALIAS: The alias that identifies the certificate stored in the keystore.

    • ITERATION_COUNT: The number of times encryption is run.

    • ENC_FILE_DIR: The path where the encrypted files are stored.

    • VAULT_BLOCK: The name to be given to the block in the vault.

    • ATTRIBUTE: The name of the attribute to store. For example, "password" as an attribute name when storing a password value.

    • SEC-ATTR: The value being stored.

    The following is an example with the parameters populated:

    [student@workstation ~]$ vault.sh --keystore /home/student/vault.keystore \
--keystore-password password --alias vault --vault-block bookstore \
--attribute password --sec-attr redhat --enc-dir /home/student/
--iteration 50 --salt 12345678

    After initializing the vault the tool creates a VAULT.dat file, which is the unified storage for the secured data. In a JBoss EAP managed domain you must copy the VAULT.dat file to all the secondary host controllers in the domain.

    Update the server configuration to include the vault information

    After running the vault.sh command, an XML definition of the vault is displayed, which needs to be added to the server configuration files.

    The following is an example of the XML that you must add to either the standalone.xml or host.xml configuration file directly before the <management> section:

    <vault>
  <vault-option name="KEYSTORE_URL" value="/home/student/vault.keystore"/>
  <vault-option name="KEYSTORE_PASSWORD" value="MASK-31x/z0Xn83H4JaL0h5eK/N"/>
  <vault-option name="KEYSTORE_ALIAS" value="vault"/>
  <vault-option name="SALT" value="12345678"/>
  <vault-option name="ITERATION_COUNT" value="50"/>
  <vault-option name="ENC_FILE_DIR" value="/home/student/"/>
</vault>
    Reference the stored attribute in the server configuration file

    The final step is to replace the sensitive data with a reference to the attribute in the vault. The vault.sh command provides the exact syntax necessary to reference the secured attribute after all of the parameters are provided. Using the previous example, the vault command generated the following:

    VAULT::bookstore::password::1

    In order to use this reference, use the following syntax within the server configuration:

    ${VAULT::VAULT_BLOCK::ATTRIBUTE_NAME::1}

    The following can replace the previous password in the server configuration for the bookstore data source password:

    ${VAULT::bookstore::password::1}

    After replacing the password for the data source, the server configuration for the data source is similar to the following:

     <datasource jndi-name="java:jboss/datasources/nookdyotr" ...>
                    <connection-url>...</connection-url>
                    <driver>mysql</driver>
                    <security>
                        <user-name>bkadmin</user-name>
                        <password>${VAULT::bookstore::password::1}</password>
                    </security>
 </datasource>

References

For more general information about secure stores for credentials, refer to the Secure storage for credentials chapter in the How to Configure Server Security guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/how_to_configure_server_security/index#con-secure-storage-for-credentials_default

For more information about storage credentials with elytron, refer to the _ Credential stores in Elytron_ section in the How to Configure Server Security guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/how_to_configure_server_security/index#assembly-credential-stores-in-elytron_default

PreviousNext
Revision: ad248-7.4-18a9db2