16.7.4. Configure JBoss EAP 6 to Use the Password Vault


Overview

Before you can mask passwords and other sensitive attributes in configuration files, you need to make JBoss EAP 6 aware of the password vault which stores and decrypts them. Follow this procedure to enable this functionality.

Procedure 16.7. Setup a Password Vault

  1. Determine the correct values for the command.

    Determine the values for the following parameters, which are determined by the commands used to create the keystore itself. For information on creating a keystore, refer the following topics: Section 16.7.2, “Create a Java Keystore to Store Sensitive Strings” and Section 16.7.3, “Mask the Keystore Password and Initialize the Password Vault”.
    Parameter Description
    KEYSTORE_URL
    The file system path or URI of the keystore file, usually called something like vault.keystore
    KEYSTORE_PASSWORD
    The password used to access the keystore. This value should be masked.
    KEYSTORE_ALIAS
    The name of the keystore alias.
    SALT
    The salt used to encrypt and decrypt keystore values.
    ITERATION_COUNT
    The number of times the encryption algorithm is run.
    ENC_FILE_DIR
    The path to the directory from which the keystore commands are run. Typically the directory containing the password vault.
    host (managed domain only)
    The name of the host you are configuring
  2. Use the Management CLI to enable the password vault.

    Run one of the following commands, depending on whether you use a managed domain or standalone server configuration. Substitute the values in the command with the ones from the first step of this procedure.

    Note

    If you use Microsoft Windows Server, in the CLI command, escape each \ character in a directory path with an additional \ character. For example, C:\\data\\vault\\vault.keystore. This is because single \ character is used for character escaping.
    • Managed Domain

      /host=YOUR_HOST/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "PATH_TO_KEYSTORE"), ("KEYSTORE_PASSWORD" => "MASKED_PASSWORD"), ("KEYSTORE_ALIAS" => "ALIAS"), ("SALT" => "SALT"),("ITERATION_COUNT" => "ITERATION_COUNT"), ("ENC_FILE_DIR" => "ENC_FILE_DIR")])
      
    • Standalone Server

      /core-service=vault:add(vault-options=[("KEYSTORE_URL" => "PATH_TO_KEYSTORE"), ("KEYSTORE_PASSWORD" => "MASKED_PASSWORD"), ("KEYSTORE_ALIAS" => "ALIAS"), ("SALT" => "SALT"),("ITERATION_COUNT" => "ITERATION_COUNT"), ("ENC_FILE_DIR" => "ENC_FILE_DIR")])
      
    The following is an example of the command with hypothetical values:
    /core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/user/vault/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-3y28rCZlcKR"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "12438567"),("ITERATION_COUNT" => "50"), ("ENC_FILE_DIR" => "/home/user/vault/")])
    
Result

JBoss EAP 6 is configured to decrypt masked strings using the password vault. To add strings to the vault and use them in your configuration, refer to the following topic: Section 16.7.6, “Store and Retrieve Encrypted Sensitive Strings in the Java Keystore”.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.