Red Hat SummitChapter 6. Vault For Red Hat JBoss Web Server
6.1. About password vault in Red Hat JBoss Web Server 5.5
Tomcat-vault is a PicketLink vault extension for Apache Tomcat that allows users to mask passwords and other sensitive strings, and store them in an encrypted Java keystore. Using the vault enables you to stop storing clear-text passwords in your Tomcat configuration files, because Tomcat can lookup passwords and other sensitive strings from a keystore using the vault.
For Using CRYPT with the Vault, refer Using CRYPT.
6.2. Installing the JBoss Web Server password vault from .zip archive
As tomcat password vault is pre-installed by the jws-5.5.0-application-server.zip file. The password vault can be used once configured and it is located at: JWS_HOME/tomcat/lib/tomcat-vault.jar.
6.3. Installing the JBoss Web Server password vault on Red Hat Enterprise Linux using the YUM package manager
If the JBoss Web Server has been installed from RPMs on Red Hat Enterprise Linux, you need to install the JBoss Web Server RPM for tomcat-vault.
Procedure
Install the password vault as the root user by executing:
yum install jws5-tomcat-vault
6.4. Enabling password vault in JBoss Web Server
In the following procedure, replace JWS_HOME with the path to your JBoss Web Server installation. Also, the paths below use / for directory separators.
Procedure
- Stop Tomcat if it is running.
Edit
JWS_HOME/tomcat/conf/catalina.properties, and add the following line:org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.vault.util.PropertySourceVault
6.5. Creating a Java Keystore in JBoss Web Server
To use a password vault, you must first create a Java keystore.
The values in the procedure are examples only. Replace them with values specific to your environment.
For an explanation of the parameters, use the keytool -genseckey -help command.
Procedure
Create a Java keystore using the
keytool -genseckeycommand:$ keytool -genseckey -keystore JWS_HOME/tomcat/vault.keystore -alias my_vault -storetype jceks -keyalg AES -keysize 128 -storepass <vault_password> -keypass <vault_password> -validity 730
At this time, keystore type PKCS12 is not supported by tomcat-vault. Only keystore type JCEKS is supported.
Additionally, the following keystore algorithms must have the following keysize:
-
AES:
-keysize 128 -
DES:
-keysize 56 -
DESede:
-keysize 168
6.6. Initializing Password Vault
6.6.1. Initializing password vault for Apache Tomcat interactively
The values below are examples only. Replace them with values appropriate for your environment.
Procedure
Initialize password vault using the
tomcat-vault.shscript:# JWS_HOME/tomcat/bin/tomcat-vault.sh WARNING JBOSS_HOME may be pointing to a different installation - unpredictable results may occur. ========================================================================= JBoss Vault JBOSS_HOME: JWS_HOME/tomcat JAVA: java ========================================================================= ********************************** **** JBoss Vault *************** ********************************** Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit 0 Starting an interactive session Enter directory to store encrypted files: JWS_HOME/tomcat/ Enter Keystore URL: JWS_HOME/tomcat/vault.keystore Enter Keystore password: <vault_password> Enter Keystore password again: <vault_password> Values match Enter 8 character salt: 1234abcd Enter iteration count as a number (Eg: 44): 120 Enter Keystore Alias: my_vault Initializing Vault Jun 16, 2018 10:24:27 AM org.apache.tomcat.vault.security.vault.PicketBoxSecurityVault init INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready Vault Configuration in tomcat properties file: ******************************************** ... KEYSTORE_URL=JWS_HOME/tomcat/vault.keystore KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/ KEYSTORE_ALIAS=my_vault SALT=1234abcd ITERATION_COUNT=120 ENC_FILE_DIR=JWS_HOME/tomcat/ ... ******************************************** Vault is initialized and ready for use Handshake with Vault complete Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit 2
Note the output for the Tomcat properties file, as you will need this to configure Tomcat to use the vault.
6.6.2. Initializing the Vault for Apache Tomcat non-interactively (silent setup)
The Vault for Apache Tomcat can be created non-interactively by providing the required input as arguments to the tomcat-vault.sh script. The vault.properties file is also created as output of the tomcat-vault.sh script when the -g, --generate-config option is used.
The values below are examples only. Replace them with values appropriate for your environment.
Procedure
-
Initialize password vault using the
tomcat-vault.shscript:
$ JWS_HOME/tomcat/bin/tomcat-vault.sh \
--keystore JWS_HOME/tomcat/vault.keystore \
--keystore-password <vault_password> \
--alias my_vault \
--enc-dir JWS_HOME/tomcat/ \
--iteration 120 \
--salt 1234abcd \
--generate-config JWS_HOME/tomcat/conf/vault.properties6.7. Configuring Tomcat to use the password vault
Prerequisites
Password vault for Tomcat is initialized.
For information about initializing password vault for Tomcat, see Initializing password vault for Apache Tomcat interactively
Procedure
In
JWS_HOME/tomcat/conf/, create a file namedvault.propertiescontaining the vault configuration produced when initializing the vault.The values provided below use the example vault initialized in procedure Initializing password vault for Apache Tomcat interactively
NoteFor
KEYSTORE_PASSWORD, you must use the masked value that was generated when initializing the vault.KEYSTORE_URL=JWS_HOME/tomcat/vault.keystore KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/ KEYSTORE_ALIAS=my_vault SALT=1234abcd ITERATION_COUNT=120 ENC_FILE_DIR=JWS_HOME/tomcat/
6.8. External password vault configuration
The vault.properties file for the tomcat-vault can be stored outside of JWS_HOME/tomcat/conf/ in a CATALINA_BASE/conf/ directory (if set).
To set the CATALINA_BASE directory, follow the instructions in the section Advanced Configuration - Multiple Tomcat Instances in the Running The Apache Tomcat 9.0 Servlet/JSP Container document found on the Apache Tomcat Website.
The default location for CATALINA_BASE is JWS_HOME/tomcat/ also known as CATALINA_HOME.
Additional Resources
For more information on setting CATALINA_BASE, see:
6.9. Storing a Sensitive String in the Password Vault
The vault script used in the previous steps is also used to store sensitive strings in the password vault. The script can be run interactively or non-interactively.
When adding a string to a password vault, the sensitive string needs a name that it will be referred by. For a password vault, this name is called an attribute name, and the password itself is called a secured attribute.
The example below demonstrates using the vault script non-interactively to store a password. It uses the vault that was initialized in the previous steps, and stores the sensitive string P@SSW0#D with the attribute name manager_password.
$ JWS_HOME/tomcat/bin/tomcat-vault.sh --keystore JWS_HOME/tomcat/vault.keystore --keystore-password <vault_password> --alias my_vault --enc-dir JWS_HOME/tomcat --iteration 120 --salt 1234abcd --vault-block my_block --attribute manager_password --sec-attr P@SSW0#DYou can optionally specify a vault block to store the password in. If you don’t specify a block, one will be automatically created for you. In the above example, my_block is used.
6.10. Using a Stored Sensitive String in Your Tomcat Configuration
After storing a sensitive string in the password vault, you can refer to it in your configuration files by entering the stored string’s attribute as ${VAULT::block_name::attribute_name::}.
For example, to use the password stored in the previous steps, replace:
<user username="manager" password="P@SSW0#D" roles="manager-gui"/>with:
<user username="manager" password="${VAULT::my_block::manager_password::}" roles="manager-gui"/>As a result, only a reference to the password is visible in the Tomcat configuration file, and the actual password is only stored in the password vault.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}