Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 17. Encrypting Data Source Passwords

Database connections for the JBoss Enterprise Application Platform are defined in *-ds.xml data source files. These database connection details include clear text passwords. You can increase the security of your server by replacing clear text passwords in data source files with encrypted passwords.
This chapter presents two different methods for encrypting data source passwords.
Secured Identity using the module SecureIdentityLoginModule is described in Section 17.1, “Secured Identity”.
Configured Identity with Password Based Encryption using the module JaasSecurityDomainIdentityLoginModule is described in Section 17.2, “Configured Identity with Password Based Encryption (PBE)”.

17.1. Secured Identity
링크 복사

The class org.jboss.resource.security.SecureIdentityLoginModule can be used to both encrypt database passwords and to provide a decrypted version of the password when the data source configuration is required by the server. The SecureIdentityLoginModule uses a hard-coded password to encrypt/decrypt the data source password.

Procedure 17.1. Overview: Using SecureIdentityLoginModule to encrypt a data source password

  1. Encrypt the data source password.
  2. Create an application authentication policy with the encrypted password.
  3. Configure the data source to use the application authentication policy.

17.1.1. Encrypt the data source password
링크 복사

The data source password is encrypted using the SecureIdentityLoginModule main method by passing in the clear text password. The SecureIdentityLoginModule is provided by jbosssx.jar.

Procedure 17.2. Encrypt a data source password - Platform versions 5.0 and 5.0.1

This procedure encrypts a data source password on JBoss Enterprise Application Platform versions 5.0 and 5.0.1
  1. Change directory to the jboss-as directory
  2. Invoke the SecureIdentityLoginModule with the following command, supplying the clear text password as PASSWORD:
    Linux command

    java -cp client/jboss-logging-spi.jar:common/lib/jbosssx.jar \ 
org.jboss.resource.security.SecureIdentityLoginModule PASSWORD
    Copy to Clipboard Toggle word wrap

    Windows command:

    java -cp client\jboss-logging-spi.jar;common\lib\jbosssx.jar \
 org.jboss.resource.security.SecureIdentityLoginModule PASSWORD
    Copy to Clipboard Toggle word wrap

    Result:

    The command will return an encrypted password.

Procedure 17.3. Encrypt a data source password - Platform version 5.1 and later

This procedure encrypts a data source password on JBoss Enterprise Application Platform versions 5.1 and later
  1. Change directory to the jboss-as directory
  2. Linux command

    java -cp client/jboss-logging-spi.jar:lib/jbosssx.jar \
 org.jboss.resource.security.SecureIdentityLoginModule PASSWORD
    Copy to Clipboard Toggle word wrap

    Windows command:

    java -cp client\jboss-logging-spi.jar;lib\jbosssx.jar \
 org.jboss.resource.security.SecureIdentityLoginModule PASSWORD
    Copy to Clipboard Toggle word wrap

    Result:

    The command will return an encrypted password.

17.1.2. Create an application authentication policy with the encrypted password
링크 복사

Each JBoss Application Server server profile has a conf/login-config.xml file, where application authentication policies are defined for that profile. To create an application authentication policy for your encrypted password, add a new <application-policy> element to the <policy> element.
Example 17.1, “Example application authentication policy with encrypted data source password” is a fragment of a login-config.xml file showing an application authentication policy of name "EncryptDBPassword".

Example 17.1. Example application authentication policy with encrypted data source password

  
  <policy>
  ...
      <!-- Example usage of the SecureIdentityLoginModule -->
      <application-policy name="EncryptDBPassword">
          <authentication>
              <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
                  <module-option name="username">admin</module-option>
                  <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option>
                  <module-option name="managedConnectionFactoryName">jboss.jca:name=PostgresDS,service=LocalTxCM</module-option>
              </login-module>
          </authentication>
      </application-policy>
  </policy>
Copy to Clipboard Toggle word wrap

SecureIdentityLoginModule module options

user name
Specify the user name to use when establishing a connection to the database.
password
Provide the encrypted password generated in Section 17.1.1, “Encrypt the data source password”.
managedConnectionFactoryName
jboss.jca:name
Nominate a Java Naming and Directory Interface (JNDI) name for this data source.
jboss.jca:service
Specify the transaction type

Transaction types

NoTxCM
No transaction support
LocalTxCM
Single resource transaction support
TxCM
Single resource or distributed transaction support
XATxCM
Distributed transaction support

17.1.3. Configure the data source to use the application authentication policy
링크 복사

At run-time the application policy is bound to JNDI under the application policy name, and is made available as a security domain.
The data source is configured in a *-ds.xml file. Remove the <user-name> and <password> elements from this file, and replace them with a <security-domain> element. This element will contain the application authentication policy name specified following Section 17.1.2, “Create an application authentication policy with the encrypted password”.
Using the example name from Section 17.1.2, “Create an application authentication policy with the encrypted password”, "EncryptDBPassword", will result in a data source file that looks something like Example 17.2, “Example data source file using secured identity”.

Example 17.2. Example data source file using secured identity

<?xml version="1.0" encoding="UTF-8"?>
<datasources>
    <local-tx-datasource>
        <jndi-name>PostgresDS</jndi-name>
        <connection-url>jdbc:postgresql://127.0.0.1:5432/test?protocolVersion=2</connection-url>
        <driver-class>org.postgresql.Driver</driver-class>
        <min-pool-size>1</min-pool-size>
        <max-pool-size>20</max-pool-size>

        <!-- REPLACED WITH security-domain BELOW
        <user-name>admin</user-name>
        <password>password</password>
        -->

        <security-domain>EncryptDBPassword</security-domain>

        <metadata>
            <type-mapping>PostgreSQL 8.0</type-mapping>
        </metadata>
    </local-tx-datasource>
</datasources>
Copy to Clipboard Toggle word wrap
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat