Search

Chapter 5. Securing passwords with a keystore

download PDF

You can use a keystore to encrypt passwords that are used for communication between Business Central and Process Server. You should encrypt both controller and Process Server passwords. If Business Central and Process Server are deployed to different application servers, then both application servers should use the keystore.

Use Java Cryptography Extension KeyStore (JCEKS) for your keystore because it supports symmetric keys. Use KeyTool, which is part of the JDK installation, to create a new JCEKS.

Note

If Process Server is not configured with JCEKS, Process Server passwords are stored in system properties in plain text form.

Prerequisites

  • Process Server is installed in Red Hat JBoss Web Server.
  • Java 8 or higher is installed.

Procedure

  1. Open the JWS_HOME/tomcat/conf/tomcat-users.xml file in a text editor.
  2. Add a Process Server user with the kie-server role to the JWS_HOME/tomcat/conf/tomcat-users.xml file. In the following example, replace <USER_NAME> and <PASSWORD> with the user name and password of your choice.

    <role rolename="kie-server"/>
    <user username="<USER_NAME>" password="<PASSWORD>" roles="kie-server"/>
  3. To use KeyTool to create a JCEKS, enter the following command in the Java 8 home directory:

    $<JAVA_HOME>/bin/keytool -importpassword -keystore <KEYSTORE_PATH> -keypass <ALIAS_KEY_PASSWORD> -alias <PASSWORD_ALIAS> -storepass <KEYSTORE_PASSWORD> -storetype JCEKS

    In this example, replace the following variables:

    • <KEYSTORE_PATH>: The path where the keystore will be stored
    • <KEYSTORE_PASSWORD>: The keystore password
    • <ALIAS_KEY_PASSWORD>: The password used to access values stored with the alias
    • <PASSWORD_ALIAS>: The alias of the entry to the process
  4. When prompted, enter the password for the Process Server user that you created.
  5. To set the system properties, complete one of these steps in the JWS_HOME/tomcat/bin directory and replace the variables as described in the following table:

    Note

    If Business Central or the standalone controller are installed in separate instances from Red Hat JBoss Web Server, do not add the kie.keystore.key.server.alias and kie.keystore.key.server.pwd properties to CATALINA_OPTS.

    • On Linux or UNIX, create the setenv.sh file with the following content:

      set CATALINA_OPTS="
      -Dkie.keystore.keyStoreURL=<KEYSTORE_URL>
      -Dkie.keystore.keyStorePwd=<KEYSTORE_PWD>
      -Dkie.keystore.key.server.alias=<KEY_SERVER_ALIAS>
      -Dkie.keystore.key.server.pwd=<KEY_SERVER_PWD>
      -Dkie.keystore.key.ctrl.alias=<KEY_CONTROL_ALIAS>
      -Dkie.keystore.key.ctrl.key.ctrl.pwd=<KEY_CONTROL_PWD>
    • On Windows, add the following content to the setenv.bat file:

      set CATALINA_OPTS="
      -Dkie.keystore.keyStoreURL=<KEYSTORE_URL>
      -Dkie.keystore.keyStorePwd=<KEYSTORE_PWD>
      -Dkie.keystore.key.server.alias=<KEY_SERVER_ALIAS>
      -Dkie.keystore.key.server.pwd=<KEY_SERVER_PWD>
      -Dkie.keystore.key.ctrl.alias=<KEY_CONTROL_ALIAS>
      -Dkie.keystore.key.ctrl.pwd=<KEY_CONTROL_PWD>
    Table 5.1. System properties used to load a Process Server JCEKS
    System propertyPlaceholderDescription

    kie.keystore.keyStoreURL

    <KEYSTORE_URL>

    URL for the JCEKS that you want to use, for example file:///home/kie/keystores/keystore.jceks

    kie.keystore.keyStorePwd

    <KEYSTORE_PWD>

    Password for the JCEKS

    kie.keystore.key.server.alias

    <KEY_SERVER_ALIAS>

    Alias of the key for REST services where the password is stored

    kie.keystore.key.server.pwd

    <KEY_SERVER_PWD>

    Password of the alias for REST services with the stored password

    kie.keystore.key.ctrl.alias

    <KEY_CONTROL_ALIAS>

    Alias of the key for default REST Process Automation Controller where the password is stored

    kie.keystore.key.ctrl.pwd

    <KEY_CONTROL_PWD>

    Password of the alias for default REST Process Automation Controller with the stored password

  6. Start Process Server to verify the configuration.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.