16.2. Generate a key store and a masked password
Password masking uses a public/private key pair to encrypt passwords. You need to generate a key pair for use in password masking. By default JBoss Enterprise Application Platform 5 expects a key pair with the alias
jboss in a key store at jboss-as/bin/password/password.keystore.
The following procedures follow this default configuration. If you wish to change the key store location or key alias you will need to change the default configuration, and should refer to Section 16.6, “Changing the password masking defaults” for instructions.
Procedure 16.2. Generate a key pair and key store for password masking
- At the command line, change directory to the
jboss-as/bin/passworddirectory. - Use
keytoolto generate the key pair with the following command:keytool -genkey -alias jboss -keyalg RSA -keysize 1024 -keystore password.keystoreImportant:You must specify the same password for the key store and key pair
- Optional:
Make the resulting password.keystore readable by the JBoss Application Server process owner only.
On Unix-based systems this is accomplished by using thechowncommand to change ownership to the JBoss Application Server process owner, andchmod 600 password.keystoreto make the file readable only by the owner.This step is recommended to increase the security of your server.Note: the JBoss Application Server process owner should not have interactive console login access. In that case you will be performing these operations as another user. Creating masked passwords requires read access to the key store, so you may wish to complete configuration of masked passwords before restricting the key store file permissions.
For more on key stores and the
keytool command, refer to Section 15.1, “SSL Encryption overview”.
