16.7.5. Configure JBoss EAP 6 to Use a Custom Implementation of the Password Vault
Summary
You can use your own implementation of SecurityVault
to mask passwords and other sensitive attributes in configuration files.
Procedure 16.8. Use a Custom Implementation of the Password Vault
- Create a class that implements the interface
SecurityVault
. - Create a module containing the class from the previous step, and specify a dependency on
org.picketbox
where the interface isSecurityVault
. - Enable the custom Password Vault in the JBoss EAP server configuration by adding the vault element with the following attributes:
- code
- The fully qualified name of class that implements
SecurityVault
. - module
- The name of the module that contains the custom class.
Optionally, you can usevault-options
parameters to initialize the custom class for a Password Vault. For example:/core-service=vault:add(code="custom.vault.implementation.CustomSecurityVault", module="custom.vault.module", vault-options=[("KEYSTORE_URL" => "PATH_TO_KEYSTORE"), ("KEYSTORE_PASSWORD" => "MASKED_PASSWORD"), ("KEYSTORE_ALIAS" => "ALIAS"), ("SALT" => "SALT"),("ITERATION_COUNT" => "ITERATION_COUNT"), ("ENC_FILE_DIR" => "ENC_FILE_DIR")])
Result
JBoss EAP 6 is configured to decrypt masked strings using a custom implementation of the password vault.