7.4. Configure JBoss EAP 6 to Use the Password Vault

download PDF

Before you can mask passwords and other sensitive attributes in configuration files, you need to make JBoss EAP 6 aware of the password vault which stores and decrypts them. Follow this procedure to enable this functionality.

Procedure 7.2. Setup a Password Vault

  1. Determine the correct values for the command.

    Determine the values for the following parameters, which are determined by the commands used to create the keystore itself. For information on creating a keystore, refer the following topics: Section 7.2, “Create a Java Keystore to Store Sensitive Strings” and Section 7.3, “Mask the Keystore Password and Initialize the Password Vault”.
    Parameter Description
    The file system path or URI of the keystore file, usually called something like vault.keystore
    The password used to access the keystore. This value should be masked.
    The name of the keystore alias.
    The salt used to encrypt and decrypt keystore values.
    The number of times the encryption algorithm is run.
    The path to the directory from which the keystore commands are run. Typically the directory containing the password vault.
    host (managed domain only)
    The name of the host you are configuring
  2. Use the Management CLI to enable the password vault.

    Run one of the following commands, depending on whether you use a managed domain or standalone server configuration. Substitute the values in the command with the ones from the first step of this procedure.


    If you use Microsoft Windows Server, in the CLI command, escape each \ character in a directory path with an additional \ character. For example, C:\\data\\vault\\vault.keystore. This is because single \ character is used for character escaping.
    • Managed Domain

    • Standalone Server

    The following is an example of the command with hypothetical values:
    /core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/user/vault/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-3y28rCZlcKR"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "12438567"),("ITERATION_COUNT" => "50"), ("ENC_FILE_DIR" => "/home/user/vault/")])

JBoss EAP 6 is configured to decrypt masked strings using the password vault. To add strings to the vault and use them in your configuration, refer to the following topic: Section 7.6, “Store and Retrieve Encrypted Sensitive Strings in the Java Keystore”.

Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.