此内容没有您所选择的语言版本。
10.11.5. Store and Retrieve Encrypted Sensitive Strings in the Java Keystore
Including passwords and other sensitive strings in plain-text configuration files is insecure. JBoss EAP 6 includes the ability to store and mask these sensitive strings in an encrypted keystore, and use masked values in configuration files.
Prerequisites
- TheEAP_HOME/bin/vault.shapplication needs to be accessible via a command-line interface.
Procedure 10.7. Setup the Java Keystore
- Run the - vault.shcommand.Run- EAP_HOME/bin/vault.sh. Start a new interactive session by typing- 0.
- Enter the directory where encrypted files will be stored. If you followed Section 10.11.2, “Create a Java Keystore to Store Sensitive Strings”, your keystore is in a directory called- vault/in your home directory. In most cases, it makes sense to store all of your encrypted information in the same place as the key store. This example uses the directory- /home/USER/vault/.- Note Do not forget to include the trailing slash on the directory name. Either use- /or- \, depending on your operating system.
- Enter the path to the keystore. Enter the full path to the keystore file. This example uses- /home/USER/vault/vault.keystore.
- Enter the keystore password, vault name, salt, and iteration count. When prompted, enter the keystore password, vault name, salt, and iteration count. A handshake is performed.
- Select the option to store a password. Select option- 0to store a password or other sensitive string.
- Enter the value. When prompted, enter the value twice. If the values do not match, you are prompted to try again.
- Enter the vault block. Enter the vault block, which is a container for attributes which pertain to the same resource. An example of an attribute name would be- ds_ExampleDS. This will form part of the reference to the encrypted string, in your datasource or other service definition.
- Enter the attribute name. Enter the name of the attribute you are storing. An example attribute name would be- password.Result- A message such as the one below shows that the attribute has been saved. - Attribute Value for (ds_ExampleDS, password) saved - Attribute Value for (ds_ExampleDS, password) saved- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Make note of the information about the encrypted string. A message prints to standard output, showing the vault block, attribute name, shared key, and advice about using the string in your configuration. Make note of this information in a secure location. Example output is shown below.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use the encrypted string in your configuration. Use the string from the previous step in your configuration, in place of a plain-text string. A datasource using the encrypted password above is shown below.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow You can use an encrypted string anywhere in your domain or standalone configuration file where expressions are allowed.- Note To check if expressions are allowed within a particular subsystem, run the following CLI command against that subsystem:- /host=master/core-service=management/security-realm=TestRealm:read-resource-description(recursive=true) - /host=master/core-service=management/security-realm=TestRealm:read-resource-description(recursive=true)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow From the output of running this command, look for the value for the- expressions-allowedparameter. If this is true, then you can use expressions within the configuration of this particular subsystem.After you store your string in the keystore, use the following syntax to replace any clear-text string with an encrypted one.- ${VAULT::<replaceable>VAULT_BLOCK</replaceable>::<replaceable>ATTRIBUTE_NAME</replaceable>::<replaceable>ENCRYPTED_VALUE</replaceable>}- ${VAULT::<replaceable>VAULT_BLOCK</replaceable>::<replaceable>ATTRIBUTE_NAME</replaceable>::<replaceable>ENCRYPTED_VALUE</replaceable>}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Here is a sample real-world value, where the vault block is- ds_ExampleDSand the attribute is- password.- <password>${VAULT::ds_ExampleDS::password::1}</password>- <password>${VAULT::ds_ExampleDS::password::1}</password>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow