Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 18. Encrypting the Keystore Password in a Tomcat Connector

JBoss Web is based on Apache Tomcat.
SSL with Tomcat requires a secure connector. This means that the keystore/truststore password cannot be passed as an attribute in the connector element of Tomcat's server.xml file.
A working understanding of the JaasSecurityDomain that supports keystores, truststores, and password based encryption is advised.
Refer to Chapter 13, Secure Remote Password Protocol and Chapter 17, Encrypting Data Source Passwords for supporting information and related procedures.

Procedure 18.1. Encrypt Tomcat Container Keystore Password

  1. Append connector element

    Add a connector element in server.xml in $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar 
      
<!-- SSL/TLS Connector with encrypted keystore password configuration  -->
<Connector port="8443" address="${jboss.bind.address}"
   maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
   scheme="https" secure="true" clientAuth="true"
   sslProtocol="TLS"
   securityDomain="java:/jaas/encrypt-keystore-password"
   SSLImplementation="org.jboss.net.ssl.JBossImplementation" >
</Connector>
    Copy to Clipboard Toggle word wrap
    .

  2. Configure JaasSecurityDomain MBean

    Set the JaasSecurityDomain MBean in a $JBOSS_HOME/server/$PROFILE/deploy/security-service.xml file.
    If the file does not exist, you must create it. The code sample describes the content required when the file does not exist. If you already have a security-service.xml, append the <mbean> element block to the file. 
    <server>
   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=PBESecurityDomain">
      <constructor>
         <arg type="java.lang.String" value="encrypt-keystore-password"></arg>
      </constructor>
      <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
      <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute>
      <attribute name="Salt">welcometojboss</attribute>
      <attribute name="IterationCount">13</attribute>
   </mbean>
</server>
    Copy to Clipboard Toggle word wrap
    The Salt and IterationCount are the variables that define the strength of your encrypted password, so you can vary it from what is shown. Ensure you record the new values, and use when generating the encrypted password.

    Note

    The Salt must be at least eight characters long.

  3. Generate encrypted password

    The <mbean> configuration specifies that the keystore is stored in the jboss-as/server/$PROFILE/conf/localhost.keystore file. The <mbean> also specifies the encrypted password file is stored in jboss-as/server/$PROFILE/conf/keystore.password file.
    You must create the localhost.keystore file.
    Execute the following command in the jboss-as/server/$PROFILE/conf directory. 
    [conf]$ java -cp $JBOSS_HOME/lib/jbosssx.jar \org.jboss.security.plugins.FilePassword welcometojboss 13 unit-tests-server keystore.password
    Copy to Clipboard Toggle word wrap
    This command uses jbosssx.jar as the classpath (-cp) and the FilePassword security plugin to create a keystore.password file with the password set as unit-tests-server. To verify you have permission to create a keystore.password file, you supply the salt and iteration parameters configured in the <mbean> <attribute> elements of the JaasSecurityDomain.
    You execute this command in the /conf directory so the keystore.password file is saved to this directory.

  4. Update the Tomcat service MBean

    Navigate to $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar/META-INF .
    Open jboss-service.xml and append the following <depends> tag toward the end of the file. Adding the <depends> tag specifies that Tomcat must start after jboss.security:service=PBESecurityDomain . 
          <depends>jboss.security:service=PBESecurityDomain</depends>
   </mbean>
</server>
    Copy to Clipboard Toggle word wrap

Example 18.1. JaasSecurityDomain definition for pkcs12 keystores

Based on Procedure 18.1, “Encrypt Tomcat Container Keystore Password”, pkcs12 keystore containers referenced by the Tomcat Connector would look similar to this example. 
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=PBESecurityDomain">
    <constructor>
       <arg type="java.lang.String" value="encrypt-keystore-password"></arg>
    </constructor>
    <attribute name="KeyStoreType">pkcs12</attribute>
    <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
    <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute>
    <attribute name="Salt">welcometojboss</attribute>
    <attribute name="IterationCount">13</attribute>
</mbean>
Copy to Clipboard Toggle word wrap

18.1. Medium Security Usecase
Copier lien

A user does not want to encrypt the keystore password but wants to externalize it (outside of server.xml ) or wants to make use of a predefined JaasSecurityDomain.

Procedure 18.2. Predefined JaasSecurityDomain

  1. Update jboss-service.xml to add a connector

    Navigate to $JBOSS_HOME/server/ $PROFILE /deploy/jbossweb.sar/META-INF, and add the following code block to the jboss-service.xml file. 
    <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=SecurityDomain">
      <constructor>
         <arg type="java.lang.String" value="jbosstest-ssl"></arg>
      </constructor>
      <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
      <attribute name="KeyStorePass">unit-tests-server</attribute>
   </mbean>
    Copy to Clipboard Toggle word wrap

  2. Add a <depends> tag to the Tomcat service

    Navigate to $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar .
    Open server.xml and append the following <depends> element toward the end of the file: 
    <depends>jboss.security:service=SecurityDomain</depends>
   </mbean>
</server>
    Copy to Clipboard Toggle word wrap

  3. Define the JaasSecurityDomain MBean in a *-service.xml file

    security-service.xml in the deploy directory, for example. 
     <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
     name="jboss.security:service=SecurityDomain">
     <constructor>
        <arg type="java.lang.String" value="jbosstest-ssl"></arg>
     </constructor>
     <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
     <attribute name="KeyStorePass">unit-tests-server</attribute>
  </mbean>
    Copy to Clipboard Toggle word wrap

Note

If you see this error, remember the keystore file should be writable by the user id that is running JBoss Enterprise Application Platform.
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat