Chapter 18. Encrypting the Keystore Password in a Tomcat Connector
server.xml
file.
Procedure 18.1. Encrypt Tomcat Container Keystore Password
Append connector element
Add a connector element inserver.xml
in$JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar
<!-- SSL/TLS Connector with encrypted keystore password configuration --> <Connector port="8443" address="${jboss.bind.address}" maxThreads="100" minSpareThreads="5" maxSpareThreads="15" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" securityDomain="java:/jaas/encrypt-keystore-password" SSLImplementation="org.jboss.net.ssl.JBossImplementation" > </Connector>
.Configure JaasSecurityDomain MBean
Set the JaasSecurityDomain MBean in a$JBOSS_HOME/server/$PROFILE/deploy/security-service.xml
file.If the file does not exist, you must create it. The code sample describes the content required when the file does not exist. If you already have asecurity-service.xml
, append the <mbean> element block to the file.<server> <mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=PBESecurityDomain"> <constructor> <arg type="java.lang.String" value="encrypt-keystore-password"></arg> </constructor> <attribute name="KeyStoreURL">resource:localhost.keystore</attribute> <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute> <attribute name="Salt">welcometojboss</attribute> <attribute name="IterationCount">13</attribute> </mbean> </server>
The Salt and IterationCount are the variables that define the strength of your encrypted password, so you can vary it from what is shown. Ensure you record the new values, and use when generating the encrypted password.Note
The Salt must be at least eight characters long.Generate encrypted password
The <mbean> configuration specifies that the keystore is stored in thejboss-as/server/$PROFILE/conf/localhost.keystore
file. The <mbean> also specifies the encrypted password file is stored injboss-as/server/$PROFILE/conf/keystore.password
file.You must create thelocalhost.keystore
file.Execute the following command in thejboss-as/server/$PROFILE/conf
directory.[conf]$ java -cp $JBOSS_HOME/lib/jbosssx.jar \org.jboss.security.plugins.FilePassword welcometojboss 13 unit-tests-server keystore.password
This command uses jbosssx.jar as the classpath (-cp
) and the FilePassword security plugin to create akeystore.password
file with the password set asunit-tests-server
. To verify you have permission to create akeystore.password
file, you supply the salt and iteration parameters configured in the <mbean> <attribute> elements of the JaasSecurityDomain.You execute this command in the/conf
directory so thekeystore.password
file is saved to this directory.Update the Tomcat service MBean
Navigate to$JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar/META-INF
.Openjboss-service.xml
and append the following <depends> tag toward the end of the file. Adding the <depends> tag specifies that Tomcat must start afterjboss.security:service=PBESecurityDomain
.<depends>jboss.security:service=PBESecurityDomain</depends> </mbean> </server>
Example 18.1. JaasSecurityDomain definition for pkcs12 keystores
<mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=PBESecurityDomain"> <constructor> <arg type="java.lang.String" value="encrypt-keystore-password"></arg> </constructor> <attribute name="KeyStoreType">pkcs12</attribute> <attribute name="KeyStoreURL">resource:localhost.keystore</attribute> <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute> <attribute name="Salt">welcometojboss</attribute> <attribute name="IterationCount">13</attribute> </mbean>
18.1. Medium Security Usecase
server.xml
) or wants to make use of a predefined JaasSecurityDomain.
Procedure 18.2. Predefined JaasSecurityDomain
Update jboss-service.xml to add a connector
Navigate to$JBOSS_HOME/server/
, and add the following code block to the$PROFILE
/deploy/jbossweb.sar/META-INFjboss-service.xml
file.<mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=SecurityDomain"> <constructor> <arg type="java.lang.String" value="jbosstest-ssl"></arg> </constructor> <attribute name="KeyStoreURL">resource:localhost.keystore</attribute> <attribute name="KeyStorePass">unit-tests-server</attribute> </mbean>
Add a <depends> tag to the Tomcat service
Navigate to$JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar
.Openserver.xml
and append the following <depends> element toward the end of the file:<depends>jboss.security:service=SecurityDomain</depends> </mbean> </server>
Define the JaasSecurityDomain MBean in a *-service.xml file
security-service.xml
in the deploy directory, for example.<mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=SecurityDomain"> <constructor> <arg type="java.lang.String" value="jbosstest-ssl"></arg> </constructor> <attribute name="KeyStoreURL">resource:localhost.keystore</attribute> <attribute name="KeyStorePass">unit-tests-server</attribute> </mbean>
Note