Chapter 15. Securing passwords with a keystore

You can use a keystore to encrypt passwords that are used for communication between Business Central and KIE Server. You should encrypt both controller and KIE Server passwords. If Business Central and KIE Server are deployed to different application servers, then both application servers should use the keystore.

Use Java Cryptography Extension KeyStore (JCEKS) for your keystore because it supports symmetric keys. Use KeyTool, which is part of the JDK installation, to create a new JCEKS.

Note

If KIE Server is not configured with JCEKS, KIE Server passwords are stored in system properties in plain text form.

Prerequisites

KIE Server is installed in Red Hat JBoss EAP.
Java 8 or higher is installed.

Procedure

In the Red Hat JBoss EAP home directory, enter the following command to create a KIE Server user with the kie-server role and specify a password. In the following example, replace <USERNAME> and <PASSWORD> with the user name and password of your choice.

$<EAP_HOME>./bin/jboss-cli.sh --commands="embed-server --std-out=echo,/subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=<USERNAME>),/subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=<USERNAME>, clear={password='<PASSWORD>'}),/subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=<USERNAME>, name=role, value=['kie-server'])"

$<EAP_HOME>./bin/jboss-cli.sh --commands="embed-server --std-out=echo,/subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity(identity=<USERNAME>),/subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=<USERNAME>, clear={password='<PASSWORD>'}),/subsystem=elytron/filesystem-realm=ApplicationRealm:add-identity-attribute(identity=<USERNAME>, name=role, value=['kie-server'])"

Copy to Clipboard

Toggle word wrap

To use KeyTool to create a JCEKS, enter the following command in the Java 8 home directory:
```
$<JAVA_HOME>/bin/keytool -importpassword -keystore <KEYSTORE_PATH> -keypass <ALIAS_KEY_PASSWORD> -alias <PASSWORD_ALIAS> -storepass <KEYSTORE_PASSWORD> -storetype JCEKS
```
```
$<JAVA_HOME>/bin/keytool -importpassword -keystore <KEYSTORE_PATH> -keypass <ALIAS_KEY_PASSWORD> -alias <PASSWORD_ALIAS> -storepass <KEYSTORE_PASSWORD> -storetype JCEKS
```
Copy to Clipboard Toggle word wrap
In this example, replace the following variables:
- <KEYSTORE_PATH>: The path where the keystore will be stored
- <KEYSTORE_PASSWORD>: The keystore password
- <ALIAS_KEY_PASSWORD>: The password used to access values stored with the alias
- <PASSWORD_ALIAS>: The alias of the entry to the process
When prompted, enter the password for the KIE Server user that you created.

Set the following system properties in the EAP_HOME/standalone/configuration/standalone-full.xml file and replace the placeholders as listed in the following table:

    <system-properties>
        <property name="kie.keystore.keyStoreURL" value="<KEYSTORE_URL>"/>
        <property name="kie.keystore.keyStorePwd" value="<KEYSTORE_PWD>"/>
        <property name="kie.keystore.key.server.alias" value="<KEY_SERVER_ALIAS>"/>
        <property name="kie.keystore.key.server.pwd" value="<KEY_SERVER_PWD>"/>
        <property name="kie.keystore.key.ctrl.alias" value="<KEY_CONTROL_ALIAS>"/>
        <property name="kie.keystore.key.ctrl.pwd" value="<KEY_CONTROL_PWD>"/>
    </system-properties>

    <system-properties>
        <property name="kie.keystore.keyStoreURL" value="<KEYSTORE_URL>"/>
        <property name="kie.keystore.keyStorePwd" value="<KEYSTORE_PWD>"/>
        <property name="kie.keystore.key.server.alias" value="<KEY_SERVER_ALIAS>"/>
        <property name="kie.keystore.key.server.pwd" value="<KEY_SERVER_PWD>"/>
        <property name="kie.keystore.key.ctrl.alias" value="<KEY_CONTROL_ALIAS>"/>
        <property name="kie.keystore.key.ctrl.pwd" value="<KEY_CONTROL_PWD>"/>
    </system-properties>

Copy to Clipboard

Toggle word wrap

Expand

Table 15.1. System properties used to load a KIE Server JCEKS
System property	Placeholder	Description
`kie.keystore.keyStoreURL`	`<KEYSTORE_URL>`	URL for the JCEKS that you want to use, for example `file:///home/kie/keystores/keystore.jceks`
`kie.keystore.keyStorePwd`	`<KEYSTORE_PWD>`	Password for the JCEKS
`kie.keystore.key.server.alias`	`<KEY_SERVER_ALIAS>`	Alias of the key for REST services where the password is stored
`kie.keystore.key.server.pwd`	`<KEY_SERVER_PWD>`	Password of the alias for REST services with the stored password
`kie.keystore.key.ctrl.alias`	`<KEY_CONTROL_ALIAS>`	Alias of the key for default REST Process Automation Controller where the password is stored
`kie.keystore.key.ctrl.pwd`	`<KEY_CONTROL_PWD>`	Password of the alias for default REST Process Automation Controller with the stored password

Start KIE Server to verify the configuration.

Volver arriba

Este contenido no está disponible en el idioma seleccionado.

Chapter 15. Securing passwords with a keystore

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links