Chapter 8. Using a Password Vault with Red Hat JBoss Web Server 5.0
8.1. Using a Password Vault with Red Hat JBoss Web Server 5.0
A password vault is used to mask passwords and other sensitive strings, and store them in an encrypted Java keystore. This allows you to eliminate storing clear-text passwords in your Tomcat configuration files, as Tomcat can lookup passwords and other sensitive strings from a keystore using the vault.
Installing the JBoss Web Server password vault from .zip archive
The tomcat password vault is pre-installed by the jws-application-server-5.0.0.zip
file. The password vault can be used once configured and is located at: JWS_HOME/tomcat/lib/tomcat-vault.jar
.
Installing the JBoss Web Server password vault on Red Hat Enterprise Linux using the YUM package manager
Where the JBoss Web Server has been installed from RPMs on Red Hat Enterprise Linux, install the password vault as the root user by executing:
yum install jws5-tomcat-vault
The examples and commands below use JWS_HOME
as the JBoss Web Server installation directory. Replace JWS_HOME
with the path to your JBoss Web Server installation. Also, the paths below use /
for directory separators.
8.1.1. Enabling the Password Vault
- Stop Tomcat if it is running.
-
Edit
JWS_HOME/tomcat/conf/catalina.properties
, and add the following line:
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.vault.util.PropertySourceVault
8.1.2. Creating a Java Keystore
To use a password vault, you must first create a Java keystore. You can do this using the keytool -genseckey
command. For example:
$ keytool -genseckey -keystore JWS_HOME/tomcat/vault.keystore -alias my_vault -storetype jceks -keyalg AES -keysize 128 -storepass <vault_password> -keypass <vault_password> -validity 730
The values above are examples only. Replace them with values specific to your environment.
For an explanation of the parameters, use the keytool -genseckey -help
command.
8.1.3. Storing the tomcat-vault vault.properties
file outside of the JWS_HOME directory
The vault.properties
file for the tomcat-vault
can be stored outside of JWS_HOME/tomcat/conf/
in a CATALINA_BASE/conf/
directory (if set).
To set the CATALINA_BASE directory, follow the instructions in the section 'Advanced Configuration - Multiple Tomcat Instances' in the Running The Apache Tomcat 9.0 Servlet/JSP Container document found on the Apache Tomcat Website.
The default location for CATALINA_BASE is JWS_HOME/tomcat/
also known as CATALINA_HOME.
For more information on setting CATALINA_BASE, see:
8.1.4. Initializing the Password Vault
The vault must be initialized before it can be used to store sensitive strings. This is done using the JWS_HOME/tomcat/bin/tomcat-vault.sh
vault script. For Microsoft Windows, the script is tomcat-vault.bat
.
The script can be run interactively or non-interactively. Below is an example of an interactive execution of the script to initialize a password vault, with the values shown below using the example keystore from the previous step.
8.1.4.1. Initializing the Vault for Apache Tomcat interactively
The values below are examples only. Replace them with values appropriate for your environment.
# JWS_HOME/tomcat/bin/tomcat-vault.sh WARNING JBOSS_HOME may be pointing to a different installation - unpredictable results may occur. ========================================================================= JBoss Vault JBOSS_HOME: JWS_HOME/tomcat JAVA: java ========================================================================= ********************************** **** JBoss Vault *************** ********************************** Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit 0 Starting an interactive session Enter directory to store encrypted files: JWS_HOME/tomcat/ Enter Keystore URL: JWS_HOME/tomcat/vault.keystore Enter Keystore password: <vault_password> Enter Keystore password again: <vault_password> Values match Enter 8 character salt: 1234abcd Enter iteration count as a number (Eg: 44): 120 Enter Keystore Alias: my_vault Initializing Vault Jun 16, 2018 10:24:27 AM org.apache.tomcat.vault.security.vault.PicketBoxSecurityVault init INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready Vault Configuration in tomcat properties file: ******************************************** ... KEYSTORE_URL=JWS_HOME/tomcat/vault.keystore KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/ KEYSTORE_ALIAS=my_vault SALT=1234abcd ITERATION_COUNT=120 ENC_FILE_DIR=JWS_HOME/tomcat/ ... ******************************************** Vault is initialized and ready for use Handshake with Vault complete Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit 2
Note the output for the Tomcat properties file, as you will need this to configure Tomcat to use the vault.
Configuring Tomcat to Use the Password Vault
In JWS_HOME/tomcat/conf/
, create a file named vault.properties
containing the vault configuration produced when initializing the vault. The values provided below use the example vault initialized in the previous steps.
For KEYSTORE_PASSWORD
, you must use the masked value that was generated when initializing the vault.
KEYSTORE_URL=JWS_HOME/tomcat/vault.keystore KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/ KEYSTORE_ALIAS=my_vault SALT=1234abcd ITERATION_COUNT=120 ENC_FILE_DIR=JWS_HOME/tomcat/
8.1.4.2. Initializing the Vault for Apache Tomcat non-interactively (silent setup)
The Vault for Apache Tomcat can be created non-interactively by providing the required input as arguments to the tomcat-vault.sh
script. The vault.properties
file is also created as output of the tomcat-vault.sh
script when the -g, --generate-config
option is used.
The values below are examples only. Replace them with values appropriate for your environment.
$ JWS_HOME/tomcat/bin/tomcat-vault.sh \ --keystore JWS_HOME/tomcat/vault.keystore \ --keystore-password <vault_password> \ --alias my_vault \ --enc-dir JWS_HOME/tomcat/ \ --iteration 120 \ --salt 1234abcd \ --generate-config JWS_HOME/tomcat/conf/vault.properties
8.1.5. Storing a Sensitive String in the Password Vault
The vault script used in the previous steps is also used to store sensitive strings in the password vault. The script can be run interactively or non-interactively.
When adding a string to a password vault, the sensitive string needs a name that it will be referred by. For a password vault, this name is called an attribute name
, and the password itself is called a secured attribute
.
The example below demonstrates using the vault script non-interactively to store a password. It uses the vault that was initialized in the previous steps, and stores the sensitive string P@SSW0#D
with the attribute name manager_password
.
$ JWS_HOME/tomcat/bin/tomcat-vault.sh --keystore JWS_HOME/tomcat/vault.keystore --keystore-password <vault_password> --alias my_vault --enc-dir JWS_HOME/tomcat/ --iteration 120 --salt 1234abcd --vault-block my_block --attribute manager_password --sec-attr P@SSW0#D
You can optionally specify a vault block to store the password in. If you don’t specify a block, one will be automatically created for you. In the above example, my_block is used.
8.1.6. Using a Stored Sensitive String in Your Tomcat Configuration
After storing a sensitive string in the password vault, you can refer to it in your configuration files by entering the stored string’s attribute as ${VAULT::block_name::attribute_name::}
.
For example, to use the password stored in the previous steps, replace:
<user username="manager" password="P@SSW0#D" roles="manager-gui"/>
with:
<user username="manager" password="${VAULT::my_block::manager_password::}" roles="manager-gui"/>
As a result, only a reference to the password is visible in the Tomcat configuration file, and the actual password is only stored in the password vault.