AD248 - ch09s08

Preface A: Introduction

Section A.1: Red Hat JBoss Enterprise Application Platform Administration I

Section A.2: Orientation to the Classroom Environment

Chapter 1: Red Hat JBoss Enterprise Application Platform: Architecture and Features

Section 1.1: Exploring the Architecture of JBoss EAP

Section 1.2: Quiz: Use Cases for Standalone Server versus Managed Domain

Section 1.3: Installing JBoss EAP

Section 1.4: Guided Exercise: Installing JBoss EAP

Section 1.5: Interpreting Extensions, Subsystems, and Profiles

Section 1.6: Quiz: Profile Selection

Section 1.7: Managing JBoss EAP

Section 1.8: Guided Exercise: JBoss EAP Management Console

Section 1.9: Lab: Red Hat JBoss Enterprise Application Platform: Architecture and Features

Section 1.10: Summary

Chapter 2: Configuring JBoss EAP as a Standalone Server

Section 2.1: Running JBoss EAP Standalone Server

Section 2.2: Guided Exercise: Creating a Standalone Server

Section 2.3: Configuring JBoss EAP as a Standalone Server

Section 2.4: Quiz: Configuring Profiles

Section 2.5: Configuring Interfaces and Socket Binding Groups

Section 2.6: Quiz: Configuring Interfaces and Socket Binding Groups

Section 2.7: Lab: Configuring JBoss EAP in Standalone Mode

Section 2.8: Summary

Chapter 3: Scripting Configuration and Deploying Applications

Section 3.1: Configuring JBoss EAP by Using the Management Command Line Interface

Section 3.2: Guided Exercise: Exploring the Management CLI Tool

Section 3.3: Deploying Applications to a Standalone Server

Section 3.4: Guided Exercise: Deploying Applications with Management Tools

Section 3.5: Lab: Scripting Configuration and Deploying Applications

Section 3.6: Summary

Chapter 4: Configuring JBoss EAP as a Managed Domain

Section 4.1: Running JBoss EAP as a Managed Domain

Section 4.2: Quiz: Managed Domains

Section 4.3: Assigning a Domain Controller

Section 4.4: Guided Exercise: Assigning a Domain Controller

Section 4.5: Configuring a Host Controller

Section 4.6: Guided Exercise: Configuring Host Controllers

Section 4.7: Configuring a Domain Controller

Section 4.8: Quiz: Configuring a Domain Controller

Section 4.9: Lab: Configuring JBoss EAP as a Managed Domain

Section 4.10: Summary

Chapter 5: Configuring Servers in a Managed Domain

Section 5.1: Managed Domain Server Architecture

Section 5.2: Quiz: Hosts and Servers

Section 5.3: Configuring Server Groups

Section 5.4: Guided Exercise: Configuring Server Groups

Section 5.5: Configuring Servers

Section 5.6: Guided Exercise: Configuring Servers

Section 5.7: Deploying Applications on a Managed Domain

Section 5.8: Guided Exercise: Deployment on a Managed Domain

Section 5.9: Lab: Configuring Servers in a Managed Domain

Section 5.10: Summary

Chapter 6: Configuring Data Sources

Section 6.1: Exploring the Data Source Subsystem

Section 6.2: Quiz: Data Sources

Section 6.3: Configuring JDBC Drivers

Section 6.4: Guided Exercise: Configuring JDBC Drivers

Section 6.5: Configuring Datasources

Section 6.6: Guided Exercise: Configuring a Data Source

Section 6.7: Configuring an XA Data Source

Section 6.8: Guided Exercise: Configuring an XA Datasource

Section 6.9: Lab: Configuring Data Sources

Section 6.10: Summary

Chapter 7: Configuring the Logging Subsystem

Section 7.1: Configuring Logging Handlers

Section 7.2: Guided Exercise: Configuring Logging Handlers

Section 7.3: Configuring Loggers

Section 7.4: Guided Exercise: Controlling Logging Levels

Section 7.5: Lab: Configuring the Logging Subsystem

Section 7.6: Summary

Chapter 8: Configuring the Messaging Subsystem

Section 8.1: Exploring the Messaging Subsystem

Section 8.2: Quiz: The Messaging Subsystem

Section 8.3: Configuring Messaging Resources

Section 8.4: Guided Exercise: Configuring Messaging Resources

Section 8.5: Configure Journals and Other Settings

Section 8.6: Guided Exercise: Configuring the Journals and Other Settings

Section 8.7: Lab: Configuring the Messaging Subsystem

Section 8.8: Summary

Chapter 9: Securing JBoss EAP

Section 9.1: Configuring a Database Security Domain

Section 9.2: Guided Exercise: Securing an Application

Section 9.3: Configuring an LDAP Security Domain

Section 9.4: Guided Exercise: Configuring the LDAP Login Module

Section 9.5: Securing a JMS Destination

Section 9.6: Quiz: Securing a JMS Destination

Section 9.7: Configuring the Password Vault

SectionSection 9.8: Guided Exercise: Encrypting a Password

Section 9.9: Lab: Securing JBoss EAP

Section 9.10: Summary

Chapter 10: Configuring the Java Virtual Machine

Section 10.1: Configuring the JVM in a Standalone Server

Section 10.2: Quiz: Configuring the JVM in a Standalone Server

Section 10.3: Configuring the JVM in a Managed Domain

Section 10.4: Guided Exercise: Configuring Java Virtual Machines

Section 10.5: Lab: Configuring the Java Virtual Machine

Section 10.6: Summary

Chapter 11: Configuring the Web Subsystem

Section 11.1: Exploring the Features of the Web Subsystem

Section 11.2: Quiz: Features of Web Subsystem

Section 11.3: Configuring the Web Subsystem

Section 11.4: Guided Exercise: Securing HTTP Connections

Section 11.5: Lab: Configuring the Web Subsystem

Section 11.6: Summary

Chapter 12: Deploying Clustered Applications

Section 12.1: Exploring Clustered Applications

Section 12.2: Quiz: Exploring Clustered Applications

Section 12.3: Configuring Subsystems that Support Clustered Applications

Section 12.4: Guided Exercise: Configuring JGroups for a Clustered Web Application

Section 12.5: Configuring Load Balancer

Section 12.6: Guided Exercise: Configuring Load Balancing

Section 12.7: Deploying HA Singleton Applications

Section 12.8: Quiz: Deploying an HA Singleton Applications

Section 12.9: Lab: Deploying Clustered Applications

Section 12.10: Summary

Chapter 13: Comprehensive Review

Section 13.1: Comprehensive Review

Section 13.2: Lab: Comprehensive Review of Red Hat JBoss Application Administration I

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12 13

Guided Exercise: Encrypting a Password

Secure the bookstore MariaDB datasource by storing the password in a vault file.

Resources
Files:	`/home/student/AD248/labs/security-vault/`

Outcomes

You should be able to keep the MariaDB bksecurity database password encrypted and protected in a vault file.

Before beginning the guided exercise, run the following command to prepare the environment, and to download the lab files:

[student@workstation ~]$ lab start security-vault

Instructions

Create a keystore to store the database password.
1. Open a new terminal window and run the following commands to create a /home/student/vault.keystore file. When prompted, use password for both the keystore and certificate passwords:
```
[student@workstation ~]$ keytool -genseckey -alias vault \
-keyalg AES -storetype jceks -keysize 128 \
-keystore /home/student/vault.keystore
Enter keystore password:
Re-enter new password:
Enter key password for <vault>
	(RETURN if same as keystore password):

Warning:
The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /home/student/vault.keystore -destkeystore /home/student/vault.keystore -deststoretype pkcs12".
```
  Note
  You can safely ignore the warning about the JCEKS format. Refer to the Should the password Vault keystore format be migrated from JCEKS to PKCS12 ? Red Hat Knowledge Base article at https://access.redhat.com/solutions/3388801.
  Notice that the alias value is vault. This alias refers to a keystore entry where the password is stored.
2. Verify that you now have a file named vault.keystore in the /home/student directory.
```
[student@workstation ~]$ ls | grep vault
vault.keystore
```

Run the vault tool to encrypt the database password.

Enter the following command to run the vault tool:
```
[student@workstation ~]$ cd /opt/jboss-eap-7.4/bin
[student@workstation bin]$ ./vault.sh
```
At the first prompt, enter 0 to select Start Interactive Session.
When prompted for the directory to store encrypted files, enter /home/student/. Note that the trailing slash is required.
The Keystore URL is the path to the vault.keystore file you created in the previous step. Enter:
```
/home/student/vault.keystore
```
For the remaining prompts, use the following values:
- Password: password
- 8 character salt: 12345678
- Iteration count: 50
- Keystore Alias: vault

Make a note of the management CLI command to add the vault to the JBoss EAP configuration in standalone mode.

********************************************
...output omitted...
For standalone mode:
/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/student/vault.keystore"),("KEYSTORE_PASSWORD" => "MASK-31x/z0Xn83H4JaL0h5eK/N"),("KEYSTORE_ALIAS" => "vault"),("SALT" => "12345678"),("ITERATION_COUNT" => "50"),("ENC_FILE_DIR" => "/home/student/")])
********************************************
For domain mode:
/host=the_host/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/student/vault.keystore"),("KEYSTORE_PASSWORD" => "MASK-31x/z0Xn83H4JaL0h5eK/N"),("KEYSTORE_ALIAS" => "vault"),("SALT" => "12345678"),("ITERATION_COUNT" => "50"),("ENC_FILE_DIR" => "/home/student/")])
********************************************
WFLYSEC0057: Vault is initialized and ready for use
WFLYSEC0058: Handshake with Vault complete
Please enter a Digit::  0: Store a secured attribute  1: Check whether a secured attribute exists  2: Remove secured attribute  3: Exit

The vault tool has now connected to your vault. Enter 0 to store a secured attribute.

At the Please enter secured attribute value prompt, enter redhat123 as the password to connect to the MariaDB database running on your machine. Enter redhat123 twice to verify.
At the prompt to enter a Vault Block, enter bkadmin.
At the Enter Attribute Name prompt, enter password.

Make a note of the resulting information, as prompted:

WFLYSEC0047: Secured attribute value has been stored in Vault.
Please make note of the following:
********************************************
Vault Block:bkadmin
Attribute Name:password
Configuration should be done as follows:
VAULT::bkadmin::password::1
********************************************

The password for the MariaDB database is now in the VAULT.dat file. The data in that file is encrypted with the keys present in the vault.keystore file. Enter 3 to exit the vault tool.

Configure the vault by using the management CLI.

Run the following commands to start the CLI:

[student@workstation ~]$ /opt/jboss-eap-7.4/bin/jboss-cli.sh \
-Djboss.server.base.dir=/home/student/AD248/labs/security-vault/standalone/

Start the embedded server.

[disconnected /] embed-server

Note

You can safely ignore the following output:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss-eap-7.4/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.4.11.CP/org/wildfly/extension/elytron/main/wildfly-elytron-integration-15.0.26.Final-redhat-00001.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS()
WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Refer to https://access.redhat.com/solutions/4996491.

Add the vault by using the following command returned in previous step:

[standalone@embedded /] /core-service=vault:add(vault-options=\
[("KEYSTORE_URL" => "/home/student/vault.keystore"),\
("KEYSTORE_PASSWORD" => "MASK-31x/z0Xn83H4JaL0h5eK/N"),\
("KEYSTORE_ALIAS" => "vault"),("SALT" => "12345678"),\
("ITERATION_COUNT" => "50"),("ENC_FILE_DIR" => "/home/student/")])
{"outcome" => "success"}

Exit from the embedded server by typing exit.

Start the standalone instance. Within the first few lines of the log output, you should see log events showing a security vault successfully initialized and ready.

[student@workstation ~]$ cd /opt/jboss-eap-7.4/bin
[student@workstation bin]$ ./standalone.sh \
-Djboss.server.base.dir=/home/student/AD248/labs/security-vault/standalone/

Within the first few lines of the log output, you should see log events showing a security vault successfully initialized and ready:

06:30:14,185 INFO  [org.jboss.security] (Controller Boot Thread) PBOX00361: Default Security Vault Implementation Initialized and Ready

Configure the data source.
1. Navigate to the Configuration page of the management console at http://localhost:9990. Use admin as the username, and redhat123 as the password.
2. Click Subsystems and then click Datasources & Drivers to access the data sources subsystem.
3. In the Datasources & Drivers column, click Datasources.
4. In the Datasource column, click bksecurity data source.
  Then, click the arrow next to View and select Disable to disable the bksecurity data source.
  Figure 9.2: Option to disable data sources
  If a data source is currently in use, then you cannot modify the security settings.
  Reload the server by clicking Reload Required in the management console upper right bar, and click View to navigate to the bksecurity data source management page.
5. Select the Security tab, and then click Edit.
6. In the User Name text field, enter bkadmin.
7. Within a ${} notation, copy and paste the configuration entry displayed at the end of the vault tool script. The Password field should appear as follows:
```
${VAULT::bkadmin::password::1}
```
8. Click Save to save your changes.
9. Click Back, and enable again the bksecurity data source.
  Reload the server by clicking Reload Required in the management console upper right bar.

Verify that the data source is working.

Open the /home/student/AD248/labs/security-vault/standalone/configuration/standalone.xml file, and verify that the <password> entry for the bksecurity data source is enclosed in ${} and contains the text you provided.

<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:16.0">
...output omitted...
  <profile>
...output omitted...
  <subsystem xmlns="urn:jboss:domain:datasources:6.0">
    <datasources>
...output omitted...
       <datasource jndi-name="java:/jboss/datasources/bksecurity-ds" pool-name="bksecurity" enabled="true">
        <connection-url>jdbc:mariadb://localhost:3306/bksecurity</connection-url>
        <driver>mariadb</driver>
        <security>
           <user-name>bkadmin</user-name>
           <password>${VAULT::bkadmin::password::1}</password>
        </security>
    </datasource>
...output omitted...

Back to the management console. In the Datasource column, click the arrow next to View and select Test Connection to verify that the bksecurity data source is working.

Figure 9.3: Option to test connection

Stop the running instance of JBoss EAP.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish security-vault

Discuss Red Hat JBoss Enterprise Application Platform Administration I

Go to community

Welcome to the Red Hat JBoss Application Administration 1 (AD248) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat JBoss Application Administration I! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to AD248.Read more about Red Hat JBoss Application Administration I here.

270

Revision: ad248-7.4-18a9db2