WildFly Password Vault: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 69: Line 69:
********************************************
********************************************
</pre>
</pre>
The output of the command contains the verbatim configuration to deploy in host.xml (in domain mode) or standalone.xml.


==Storing Information into the Vault==
==Storing Information into the Vault==


==Retrieving Information from the Vault==
==Retrieving Information from the Vault==

Revision as of 00:06, 15 March 2017

Internal

Overview

The password vault is a mechanism to store locally passwords and other security-sensitive information, in an encrypted format, and decrypt them at only when they're needed, at runtime, in memory. Such information can referred from CLI commands or applications deployed in JBoss EAP.

The implementation of the JBoss password vault is based on a Java keystore. The keystore is used to store the encryption key itself, and then the secret content itself.

The rest of the article describes how to initialize, declare and deploy a vault, how to store information into the vault and how to retrieve it from the vault.

Procedures

Vault Setup

Conventionally, the keystore backing the vault is store in $JBOSS_HOME/vault, and we will use this value in this article. Since this directory will contain sensitive information it should be accessible to only limited users. At a minimum the user account under which JBoss EAP is running requires read-write access.

keytool -genseckey -alias <vault-alias> \
-storetype jceks -keyalg AES -keysize 128 \
-storepass <same-password-from-store-and-key> \
-keypass <same-password-from-store-and-key> \
-validity 730 -keystore $JBOSS_HOME/vault/vault.keystore

The alias uniquely identified the vault and it is case insensitive.

The key algorithm depends on the cryptography providers deployed with the JRE. AES is usually available.

The store password and the key password must be the same.

The keystore such created must be initialized for use as password vault using the $JBOSS_HOME/bin/vault.sh utility:

./vault.sh --keystore $JBOSS_HOME/vault/vault.keystore  --keystore-password ... --alias vault --vault-block vb --attribute password --sec-attr something --enc-dir $JBOSS_HOME/vault/ --iteration 120 --salt 1234abcd
=========================================================================

  JBoss Vault

  JBOSS_HOME: /Users/ovidiu/runtime/jboss-eap-7.0.4

  JAVA: /Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home/bin/java

=========================================================================

Mar 14, 2017 7:28:46 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX00361: Default Security Vault Implementation Initialized and Ready
WFLYSEC0047: Secured attribute value has been stored in Vault.
Please make note of the following:
********************************************
Vault Block:vb
Attribute Name:password
Configuration should be done as follows:
VAULT::vb::password::1
********************************************
WFLYSEC0048: Vault Configuration in WildFly configuration file:
********************************************
...
</extensions>
<vault>
  <vault-option name="KEYSTORE_URL" value="/opt/jboss/vault/vault.keystore"/>
  <vault-option name="KEYSTORE_PASSWORD" value="MASK-8G3fOALaNoO"/>
  <vault-option name="KEYSTORE_ALIAS" value="vault"/>
  <vault-option name="SALT" value="1234abcd"/>
  <vault-option name="ITERATION_COUNT" value="120"/>
  <vault-option name="ENC_FILE_DIR" value="/opt/jboss/vault/"/>
</vault><management> ...
********************************************

The output of the command contains the verbatim configuration to deploy in host.xml (in domain mode) or standalone.xml.

Storing Information into the Vault

Retrieving Information from the Vault