Chapter 17. Encrypting Data Source Passwords
*-ds.xml
data source files. These database connection details include clear text passwords. You can increase the security of your server by replacing clear text passwords in data source files with encrypted passwords.
SecureIdentityLoginModule
is described in Section 17.1, “Secured Identity”.
JaasSecurityDomainIdentityLoginModule
is described in Section 17.1, “Secured Identity”.
17.1. Secured Identity
org.jboss.resource.security.SecureIdentityLoginModule
can be used to both encrypt database passwords and to provide a decrypted version of the password when the data source configuration is required by the server. The SecureIdentityLoginModule
uses a hard-coded password to encrypt/decrypt the data source password.
Procedure 17.1. Overview: Using SecureIdentityLoginModule to encrypt a data source password
- Encrypt the data source password.
- Create an application authentication policy with the encrypted password.
- Configure the data source to use the application authentication policy.
17.1.1. Encrypt the data source password
SecureIdentityLoginModule
main method by passing in the clear text password. The SecureIdentityLoginModule is provided by jbosssx.jar
.
Procedure 17.2. Encrypt a data source password - Platform versions 5.0 and 5.0.1
- Change directory to the
jboss-as
directory - Invoke the SecureIdentityLoginModule with the following command, supplying the clear text password as PASSWORD:Linux command
java -cp client/jboss-logging-spi.jar:common/lib/jbosssx.jar \ org.jboss.resource.security.SecureIdentityLoginModule PASSWORD
Windows command:java -cp client\jboss-logging-spi.jar;common\lib\jbosssx.jar \ org.jboss.resource.security.SecureIdentityLoginModule PASSWORD
Result:The command will return an encrypted password.
Procedure 17.3. Encrypt a data source password - Platform version 5.1 and later
- Change directory to the
jboss-as
directory - Linux command
java -cp client/jboss-logging-spi.jar:lib/jbosssx.jar \ org.jboss.resource.security.SecureIdentityLoginModule PASSWORD
Windows command:java -cp client\jboss-logging-spi.jar;lib\jbosssx.jar \ org.jboss.resource.security.SecureIdentityLoginModule PASSWORD
Result:The command will return an encrypted password.
17.1.2. Create an application authentication policy with the encrypted password
conf/login-config.xml
file, where application authentication policies are defined for that profile. To create an application authentication policy for your encrypted password, add a new <application-policy> element to the <policy> element.
login-config.xml
file showing an application authentication policy of name "EncryptDBPassword".
Example 17.1. Example application authentication policy with encrypted data source password
<policy> ... <!-- Example usage of the SecureIdentityLoginModule --> <application-policy name="EncryptDBPassword"> <authentication> <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username">admin</module-option> <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option> <module-option name="managedConnectionFactoryName">jboss.jca:name=PostgresDS,service=LocalTxCM</module-option> </login-module> </authentication> </application-policy> </policy>
SecureIdentityLoginModule module options
- user name
- Specify the user name to use when establishing a connection to the database.
- password
- Provide the encrypted password generated in Section 17.1.1, “Encrypt the data source password”.
- managedConnectionFactoryName
- jboss.jca:name
- Nominate a Java Naming and Directory Interface (JNDI) name for this data source.
- jboss.jca:service
- Specify the transaction type
Transaction types
- NoTxCM
- No transaction support
- LocalTxCM
- Single resource transaction support
- TxCM
- Single resource or distributed transaction support
- XATxCM
- Distributed transaction support
17.1.3. Configure the data source to use the application authentication policy
*-ds.xml
file. Remove the <user-name> and <password> elements from this file, and replace them with a <security-domain> element. This element will contain the application authentication policy name specified following Section 17.1.2, “Create an application authentication policy with the encrypted password”.
Example 17.2. Example data source file using secured identity
<?xml version="1.0" encoding="UTF-8"?> <datasources> <local-tx-datasource> <jndi-name>PostgresDS</jndi-name> <connection-url>jdbc:postgresql://127.0.0.1:5432/test?protocolVersion=2</connection-url> <driver-class>org.postgresql.Driver</driver-class> <min-pool-size>1</min-pool-size> <max-pool-size>20</max-pool-size> <!-- REPLACED WITH security-domain BELOW <user-name>admin</user-name> <password>password</password> --> <security-domain>EncryptDBPassword</security-domain> <metadata> <type-mapping>PostgreSQL 8.0</type-mapping> </metadata> </local-tx-datasource> </datasources>