Red Hat Summit第5章 Securing passwords with a keystore
You can use a keystore to encrypt passwords that are used for communication between Business Central and KIE Server. You should encrypt both controller and KIE Server passwords. If Business Central and KIE Server are deployed to different application servers, then both application servers should use the keystore.
Use Java Cryptography Extension KeyStore (JCEKS) for your keystore because it supports symmetric keys. Use KeyTool, which is part of the JDK installation, to create a new JCEKS.
If KIE Server is not configured with JCEKS, KIE Server passwords are stored in system properties in plain text form.
Prerequisites
- KIE Server is installed in Red Hat JBoss Web Server.
- Java 8 or higher is installed.
Procedure
-
Open the
JWS_HOME/tomcat/conf/tomcat-users.xmlfile in a text editor. Add a KIE Server user with the
kie-serverrole to theJWS_HOME/tomcat/conf/tomcat-users.xmlfile. In the following example, replace<USER_NAME>and<PASSWORD>with the user name and password of your choice.<role rolename="kie-server"/> <user username="<USER_NAME>" password="<PASSWORD>" roles="kie-server"/>
<role rolename="kie-server"/> <user username="<USER_NAME>" password="<PASSWORD>" roles="kie-server"/>Copy to Clipboard Copied! To use KeyTool to create a JCEKS, enter the following command in the Java 8 home directory:
$<JAVA_HOME>/bin/keytool -importpassword -keystore <KEYSTORE_PATH> -keypass <ALIAS_KEY_PASSWORD> -alias <PASSWORD_ALIAS> -storepass <KEYSTORE_PASSWORD> -storetype JCEKS
$<JAVA_HOME>/bin/keytool -importpassword -keystore <KEYSTORE_PATH> -keypass <ALIAS_KEY_PASSWORD> -alias <PASSWORD_ALIAS> -storepass <KEYSTORE_PASSWORD> -storetype JCEKSCopy to Clipboard Copied! In this example, replace the following variables:
-
<KEYSTORE_PATH>: The path where the keystore will be stored -
<KEYSTORE_PASSWORD>: The keystore password -
<ALIAS_KEY_PASSWORD>: The password used to access values stored with the alias -
<PASSWORD_ALIAS>: The alias of the entry to the process
-
- When prompted, enter the password for the KIE Server user that you created.
To set the system properties, complete one of these steps in the
JWS_HOME/tomcat/bindirectory and replace the variables as described in the following table:注記If Business Central or the standalone controller are installed in separate instances from Red Hat JBoss Web Server, do not add the
kie.keystore.key.server.aliasandkie.keystore.key.server.pwdproperties toCATALINA_OPTS.On Linux or UNIX, create the
setenv.shfile with the following content:set CATALINA_OPTS=" -Dkie.keystore.keyStoreURL=<KEYSTORE_URL> -Dkie.keystore.keyStorePwd=<KEYSTORE_PWD> -Dkie.keystore.key.server.alias=<KEY_SERVER_ALIAS> -Dkie.keystore.key.server.pwd=<KEY_SERVER_PWD> -Dkie.keystore.key.ctrl.alias=<KEY_CONTROL_ALIAS> -Dkie.keystore.key.ctrl.key.ctrl.pwd=<KEY_CONTROL_PWD>
set CATALINA_OPTS=" -Dkie.keystore.keyStoreURL=<KEYSTORE_URL> -Dkie.keystore.keyStorePwd=<KEYSTORE_PWD> -Dkie.keystore.key.server.alias=<KEY_SERVER_ALIAS> -Dkie.keystore.key.server.pwd=<KEY_SERVER_PWD> -Dkie.keystore.key.ctrl.alias=<KEY_CONTROL_ALIAS> -Dkie.keystore.key.ctrl.key.ctrl.pwd=<KEY_CONTROL_PWD>Copy to Clipboard Copied! On Windows, add the following content to the
setenv.batfile:set CATALINA_OPTS=" -Dkie.keystore.keyStoreURL=<KEYSTORE_URL> -Dkie.keystore.keyStorePwd=<KEYSTORE_PWD> -Dkie.keystore.key.server.alias=<KEY_SERVER_ALIAS> -Dkie.keystore.key.server.pwd=<KEY_SERVER_PWD> -Dkie.keystore.key.ctrl.alias=<KEY_CONTROL_ALIAS> -Dkie.keystore.key.ctrl.pwd=<KEY_CONTROL_PWD>
set CATALINA_OPTS=" -Dkie.keystore.keyStoreURL=<KEYSTORE_URL> -Dkie.keystore.keyStorePwd=<KEYSTORE_PWD> -Dkie.keystore.key.server.alias=<KEY_SERVER_ALIAS> -Dkie.keystore.key.server.pwd=<KEY_SERVER_PWD> -Dkie.keystore.key.ctrl.alias=<KEY_CONTROL_ALIAS> -Dkie.keystore.key.ctrl.pwd=<KEY_CONTROL_PWD>Copy to Clipboard Copied!
表5.1 System properties used to load a KIE Server JCEKS System property Placeholder Description kie.keystore.keyStoreURL<KEYSTORE_URL>URL for the JCEKS that you want to use, for example
file:///home/kie/keystores/keystore.jcekskie.keystore.keyStorePwd<KEYSTORE_PWD>Password for the JCEKS
kie.keystore.key.server.alias<KEY_SERVER_ALIAS>Alias of the key for REST services where the password is stored
kie.keystore.key.server.pwd<KEY_SERVER_PWD>Password of the alias for REST services with the stored password
kie.keystore.key.ctrl.alias<KEY_CONTROL_ALIAS>Alias of the key for default REST Process Automation Controller where the password is stored
kie.keystore.key.ctrl.pwd<KEY_CONTROL_PWD>Password of the alias for default REST Process Automation Controller with the stored password
- Start KIE Server to verify the configuration.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}