Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 6. Vault For Red Hat JBoss Web Server
6.1. About password vault in Red Hat JBoss Web Server 5.3
Tomcat-vault is a PicketLink vault extension for Apache Tomcat that allows users to mask passwords and other sensitive strings, and store them in an encrypted Java keystore. Using the vault enables you to stop storing clear-text passwords in your Tomcat configuration files, because Tomcat can lookup passwords and other sensitive strings from a keystore using the vault.
For Using CRYPT with the Vault, refer Using CRYPT.
6.2. Installing the JBoss Web Server password vault from .zip archive
As tomcat password vault is pre-installed by the jws-5.3.0-application-server.zip file. The password vault can be used once configured and it is located at: JWS_HOME/tomcat/lib/tomcat-vault.jar.
If the JBoss Web Server has been installed from RPMs on Red Hat Enterprise Linux, you need to install the JBoss Web Server RPM for tomcat-vault.
Procedure
Install the password vault as the root user by executing:
yum install jws5-tomcat-vault
yum install jws5-tomcat-vaultCopy to Clipboard Copied! Toggle word wrap Toggle overflow
6.4. Enabling password vault in JBoss Web Server
In the following procedure, replace JWS_HOME with the path to your JBoss Web Server installation. Also, the paths below use / for directory separators.
Procedure
- Stop Tomcat if it is running.
Edit
JWS_HOME/tomcat/conf/catalina.properties, and add the following line:org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.vault.util.PropertySourceVault
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.vault.util.PropertySourceVaultCopy to Clipboard Copied! Toggle word wrap Toggle overflow
6.5. Creating a Java Keystore in JBoss Web Server
To use a password vault, you must first create a Java keystore.
The values in the procedure are examples only. Replace them with values specific to your environment.
For an explanation of the parameters, use the keytool -genseckey -help command.
Procedure
Create a Java keystore using the
keytool -genseckeycommand:keytool -genseckey -keystore JWS_HOME/tomcat/vault.keystore -alias my_vault -storetype jceks -keyalg AES -keysize 128 -storepass <vault_password> -keypass <vault_password> -validity 730
$ keytool -genseckey -keystore JWS_HOME/tomcat/vault.keystore -alias my_vault -storetype jceks -keyalg AES -keysize 128 -storepass <vault_password> -keypass <vault_password> -validity 730Copy to Clipboard Copied! Toggle word wrap Toggle overflow
6.6. External password vault configuration
The vault.properties file for the tomcat-vault can be stored outside of JWS_HOME/tomcat/conf/ in a CATALINA_BASE/conf/ directory (if set).
To set the CATALINA_BASE directory, follow the instructions in the section Advanced Configuration - Multiple Tomcat Instances in the Running The Apache Tomcat 9.0 Servlet/JSP Container document found on the Apache Tomcat Website.
The default location for CATALINA_BASE is JWS_HOME/tomcat/ also known as CATALINA_HOME.
Additional Resources
For more information on setting CATALINA_BASE, see:
6.7. Initializing Password Vault
6.7.1. Initializing password vault for Apache Tomcat interactively
The values below are examples only. Replace them with values appropriate for your environment.
Procedure
Initialize password vault using the
tomcat-vault.shscript:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Note the output for the Tomcat properties file, as you will need this to configure Tomcat to use the vault.
6.7.2. Initializing the Vault for Apache Tomcat non-interactively (silent setup)
The Vault for Apache Tomcat can be created non-interactively by providing the required input as arguments to the tomcat-vault.sh script. The vault.properties file is also created as output of the tomcat-vault.sh script when the -g, --generate-config option is used.
The values below are examples only. Replace them with values appropriate for your environment.
Procedure
-
Initialize password vault using the
tomcat-vault.shscript:
6.8. Configuring Tomcat to use the password vault
Prerequisites
Password vault for Tomcat is initialized.
For information about initializing password vault for Tomcat, see Initializing password vault for Apache Tomcat interactively
Procedure
In
JWS_HOME/tomcat/conf/, create a file namedvault.propertiescontaining the vault configuration produced when initializing the vault.The values provided below use the example vault initialized in procedure Initializing password vault for Apache Tomcat interactively
NoteFor
KEYSTORE_PASSWORD, you must use the masked value that was generated when initializing the vault.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}