Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

17.2. Configured Identity with Password Based Encryption (PBE)

The org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule is a login module for statically defining a data source using a password that has been encrypted by a JaasSecurityDomain. The base64 format of the data source password may be generated using PBEUtils:

Procedure 17.4. Encrypt password with PBEUtils - Platforms version 5.0 and 5.0.1

This procedure encrypts a password on JBoss Enterprise Application Platform versions 5.0 and 5.0.1.
  • Execute the command: 
    java -cp jboss-as/common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils \
  salt count domain-password data-source-password
    Copy to Clipboard Toggle word wrap
    Result:

    The encrypted password is displayed

Procedure 17.5. Encrypt password with PBEUtils - Platform version 5.1

This procedure encrypts a password on JBoss Enterprise Application Platform versions 5.1 and later.
  • Execute the command: 
    java -cp jboss-as/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils \
 salt count domain-password data-source-password
    Copy to Clipboard Toggle word wrap
    Result:

    The encrypted password is displayed

The parameters for the PBEUtils are:
salt
The Salt attribute from the JaasSecurityDomain (Must only be eight characters long).
count
The IterationCount attribute from the JaasSecurity domain.
domain-password
The plain text password that maps to the KeyStorePass attribute from the JaasSecurityDomain.
data-source-password
The plain text password for the data source that should be encrypted with the JaasSecurityDomain password.
Example 17.3, “PBEUtils command example” provides an example of the command with its output.

Example 17.3. PBEUtils command example

 java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils abcdefgh 13 master password
 Encoded password: 3zbEkBDfpQAASa3H39pIyP
Copy to Clipboard Toggle word wrap
Add the following application policy to the $JBOSS_HOME/server/$PROFILE/conf/login-config.xml file. 
<application-policy name="EncryptedHsqlDbRealm">
   <authentication>
      <login-module code= "org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule"
         flag = "required">
         <module-option name="username">sa</module-option>
         <module-option name="password">E5gtGMKcXPP</module-option>
         <module-option name="managedConnectionFactoryName">
            jboss.jca:service=LocalTxCM,name=DefaultDS
         </module-option>
         <module-option name="jaasSecurityDomain">
            jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword
         </module-option>
      </login-module>
   </authentication>
</application-policy>
Copy to Clipboard Toggle word wrap
The $JBOSS_HOME/docs/examples/jca/hsqldb-encrypted-ds.xml illustrates that data source configuration along with the JaasSecurityDomain configuration for the keystore:
Example 17.4, “FilePassword command example” provides an example of the command with its output.

Example 17.4. FilePassword command example

The following example refers to the file .../conf/server.password. You first need to run the following command, which will store the encryption details and obfuscated master password: 
java -cp jboss-as/lib/jbosssx.jar org.jboss.security.plugins.FilePassword salt count master_password password_file
          
For example: java -cp jboss-as/lib/jbosssx.jar org.jboss.security.plugins.FilePassword abcdefgh 13 master jboss-as/server/$PROFILE/conf/server.password
Copy to Clipboard Toggle word wrap 
<?xml version="1.0" encoding="UTF-8"?>

<!-- The Hypersonic embedded database JCA connection factory config
that illustrates the use of the JaasSecurityDomainIdentityLoginModule
to use encrypted password in the data source configuration. 

$Id: hsqldb-encrypted-ds.xml,v 1.1.2.1 2004/06/04 02:20:52 starksm Exp $ -->


<datasources>
   ...


   <application-policy name="EncryptedHsqlDbRealm">
      <authentication>
         <login-module code="org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule"
            flag = "required">
            <module-option name="username">sa</module-option>
            <module-option name="password">E5gtGMKcXPP</module-option>
            <module-option name="managedConnectionFactoryName">
              jboss.jca:service=LocalTxCM,name=DefaultDS
            </module-option>
            <module-option name="jaasSecurityDomain">
              jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword
            </module-option>
         </login-module>
      </authentication>
   </application-policy>

   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=JaasSecurityDomain, domain=ServerMasterPassword">
      <constructor>
         <arg type="java.lang.String" value="ServerMasterPassword"></arg>
      </constructor>
      <!-- The opaque master password file used to decrypt the encrypted
      database password key -->
      <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
      <attribute name="Salt">abcdefgh</attribute>
      <attribute name="IterationCount">13</attribute>
   </mbean>

   <!-- This mbean can be used when using in process persistent db -->
   <mbean code="org.jboss.jdbc.HypersonicDatabase"
      name="jboss:service=Hypersonic,database=localDB">
      <attribute name="Database">localDB</attribute>
      <attribute name="InProcessMode">true</attribute>
   </mbean>

   ...

</datasources>
Copy to Clipboard Toggle word wrap

Warning

Remember to use the same Salt and IterationCount in the MBean that was used during the password generation step.

Note

When starting a service that depends on an encrypted data source, the error java.security.InvalidAlgorithmParameterException: Parameters missing is raised when the following MBean is not yet started as a service: 
(jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword)
Copy to Clipboard Toggle word wrap
Include the following element so that the MBean starts before the data source, as per the example hsqldb-encrypted-ds.xml code shown previously. 
<depends>jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</depends>
Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat