红帽全球峰会此内容没有您所选择的语言版本。
7.3. Create a Java Keystore to Store Sensitive Strings
Prerequisites
- The
keytoolutility, provided by the Java Runtime Environment (JRE). Locate the path for the file, which on Red Hat Enterprise Linux is/usr/bin/keytool.
Warning
JCEKS keystore implementations differ between Java vendors so you must generate the keystore using the
keytool utility from the same vendor as the JDK you use.
Using a keystore generated by the
keytool from one vendor's JDK in a JBoss EAP instance running on a JDK from a different vendor results in the following exception:
java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector
Procedure 7.2. Set up a Java Keystore
Create a directory to store your keystore and other encrypted information.
Create a directory to store your keystore and other important information. The rest of this procedure assumes that the directory isEAP_HOME/vault/. Since this directory will contain sensitive information it should be accessible to only limited users. At a minimum the user account under which JBoss EAP is running requires read-write access.Determine the parameters to use with
keytoolutility.Decide on values for the following parameters:- alias
- The alias is a unique identifier for the vault or other data stored in the keystore. Aliases are case-insensitive.
- storetype
- The storetype specifies the keystore type. The value
jceksis recommended. - keyalg
- The algorithm to use for encryption. Use the documentation for your JRE and operating system to see which other choices may be available to you.
- keysize
- The size of an encryption key impacts how difficult it is to decrypt through brute force. For information on appropriate values, see the documentation distributed with the
keytoolutility. - storepass
- The value of
storepassis the password is used to authenticate to the keystore so that the key can be read. The password must be at least 6 characters long and must be provided when the keystore is accessed. If you omit this parameter, you will be prompted to enter it when you execute the command. - keypass
- The value of
keypassis the password used to access the specific key and must match the value of thestorepassparameter. - validity
- The value of
validityis the period (in days) for which the key will be valid. - keystore
- The value of
keystoreis the filepath and filename in which the keystore's values are to be stored. The keystore file is created when data is first added to it.Ensure you use the correct file path separator:/(forward slash) for Red Hat Enterprise Linux and similar operating systems,\(backslash) for Microsoft Windows Server.
Thekeytoolutility has many other options. See the documentation for your JRE or your operating system for more details.Run the
keytoolcommandLaunch your operating system's command line interface and run thekeytoolutility, supplying the information that you gathered.
Example 7.1. Create a Java Keystore
$ keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore EAP_HOME/vault/vault.keystoreResult
In this a keystore has been created in the file EAP_HOME/vault/vault.keystore. It stores a single key, with the alias vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP.
