WildFly Password Vault
Internal
Overview
The password vault is a mechanism to store locally passwords and other security-sensitive information, in an encrypted format, and decrypt them at only when they're needed, at runtime, in memory. Such information can referred from CLI commands or applications deployed in JBoss EAP.
The implementation of the JBoss password vault is based on a Java keystore. The keystore is used to store the encryption key itself, and then the secret content itself.
The rest of the article describes how to initialize, declare and deploy a vault, how to store information into the vault and how to retrieve it from the vault.
Procedures
Vault Setup
Conventionally, the keystore backing the vault is store in $JBOSS_HOME/vault, and we will use this value in this article. Since this directory will contain sensitive information it should be accessible to only limited users. At a minimum the user account under which JBoss EAP is running requires read-write access.
keytool -genseckey -alias <vault-alias> \ -storetype jceks -keyalg AES -keysize 128 \ -storepass <same-password-from-store-and-key> \ -keypass <same-password-from-store-and-key> \ -validity 730 -keystore $JBOSS_HOME/vault/vault.keystore
The alias uniquely identified the vault and it is case insensitive.
The key algorithm depends on the cryptography providers deployed with the JRE. AES is usually available.
The store password and the key password must be the same.
The keystore such created must be initialized for use as password vault using the $JBOSS_HOME/bin/vault.sh utility:
./vault.sh --keystore $JBOSS_HOME/vault/vault.keystore --keystore-password ... --alias vault --vault-block vb --attribute password --sec-attr something --enc-dir $JBOSS_HOME/vault/ --iteration 120 --salt 1234abcd ========================================================================= JBoss Vault JBOSS_HOME: /Users/ovidiu/runtime/jboss-eap-7.0.4 JAVA: /Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home/bin/java ========================================================================= Mar 14, 2017 7:28:46 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init INFO: PBOX00361: Default Security Vault Implementation Initialized and Ready WFLYSEC0047: Secured attribute value has been stored in Vault. Please make note of the following: ******************************************** Vault Block:vb Attribute Name:password Configuration should be done as follows: VAULT::vb::password::1 ******************************************** WFLYSEC0048: Vault Configuration in WildFly configuration file: ******************************************** ... </extensions> <vault> <vault-option name="KEYSTORE_URL" value="/opt/jboss/vault/vault.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-8G3fOALaNoO"/> <vault-option name="KEYSTORE_ALIAS" value="vault"/> <vault-option name="SALT" value="1234abcd"/> <vault-option name="ITERATION_COUNT" value="120"/> <vault-option name="ENC_FILE_DIR" value="/opt/jboss/vault/"/> </vault><management> ... ********************************************
The output of the command contains the verbatim configuration to deploy in host.xml (in domain mode) or standalone.xml.
Storing Information into the Vault
Retrieving Information from the Vault
${VAULT::VAULT_BLOCK::ATTRIBUTE_NAME::MASKED_STRING}
Example:
${VAULT::my_vault_block::my_password::1}