此内容没有您所选择的语言版本。

10.11.5. Store and Retrieve Encrypted Sensitive Strings in the Java Keystore


Summary

Including passwords and other sensitive strings in plain-text configuration files is insecure. JBoss EAP 6 includes the ability to store and mask these sensitive strings in an encrypted keystore, and use masked values in configuration files.

Procedure 10.7. Setup the Java Keystore

  1. Run the vault.sh command.

    Run EAP_HOME/bin/vault.sh. Start a new interactive session by typing 0.
  2. Enter the directory where encrypted files will be stored.

    If you followed Section 10.11.2, “Create a Java Keystore to Store Sensitive Strings”, your keystore is in a directory called vault/ in your home directory. In most cases, it makes sense to store all of your encrypted information in the same place as the key store. This example uses the directory /home/USER/vault/.

    Note

    Do not forget to include the trailing slash on the directory name. Either use / or \, depending on your operating system.
  3. Enter the path to the keystore.

    Enter the full path to the keystore file. This example uses /home/USER/vault/vault.keystore.
  4. Enter the keystore password, vault name, salt, and iteration count.

    When prompted, enter the keystore password, vault name, salt, and iteration count. A handshake is performed.
  5. Select the option to store a password.

    Select option 0 to store a password or other sensitive string.
  6. Enter the value.

    When prompted, enter the value twice. If the values do not match, you are prompted to try again.
  7. Enter the vault block.

    Enter the vault block, which is a container for attributes which pertain to the same resource. An example of an attribute name would be ds_ExampleDS. This will form part of the reference to the encrypted string, in your datasource or other service definition.
  8. Enter the attribute name.

    Enter the name of the attribute you are storing. An example attribute name would be password.
    Result

    A message such as the one below shows that the attribute has been saved.

    Attribute Value for (ds_ExampleDS, password) saved
    Copy to Clipboard Toggle word wrap
  9. Make note of the information about the encrypted string.

    A message prints to standard output, showing the vault block, attribute name, shared key, and advice about using the string in your configuration. Make note of this information in a secure location. Example output is shown below.
    ********************************************
    Vault Block:ds_ExampleDS
    Attribute Name:password
    Configuration should be done as follows:
    VAULT::ds_ExampleDS::password::1
    ********************************************
    
    Copy to Clipboard Toggle word wrap
  10. Use the encrypted string in your configuration.

    Use the string from the previous step in your configuration, in place of a plain-text string. A datasource using the encrypted password above is shown below.
    ...
      <subsystem xmlns="urn:jboss:domain:datasources:1.0">
        <datasources>
          <datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS">
            <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
            <driver>h2</driver>
            <pool></pool>
            <security>
              <user-name>sa</user-name>
              <password>${VAULT::ds_ExampleDS::password::1}</password>
            </security>
          </datasource>
          <drivers>
             <driver name="h2" module="com.h2database.h2">
                <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
             </driver>
          </drivers>
        </datasources>
      </subsystem>
    ...
    
    Copy to Clipboard Toggle word wrap
    You can use an encrypted string anywhere in your domain or standalone configuration file where expressions are allowed.

    Note

    To check if expressions are allowed within a particular subsystem, run the following CLI command against that subsystem:
    /host=master/core-service=management/security-realm=TestRealm:read-resource-description(recursive=true)
    Copy to Clipboard Toggle word wrap
    From the output of running this command, look for the value for the expressions-allowed parameter. If this is true, then you can use expressions within the configuration of this particular subsystem.
    After you store your string in the keystore, use the following syntax to replace any clear-text string with an encrypted one.
    ${VAULT::<replaceable>VAULT_BLOCK</replaceable>::<replaceable>ATTRIBUTE_NAME</replaceable>::<replaceable>ENCRYPTED_VALUE</replaceable>}
    Copy to Clipboard Toggle word wrap
    Here is a sample real-world value, where the vault block is ds_ExampleDS and the attribute is password.
    <password>${VAULT::ds_ExampleDS::password::1}</password>
    Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat