Here we will see how to encrypt the password used in JBOSS like Keystore password ,key Pass phrase ,Data Source password or any other passwords that need to encrypt can be done with the VAULT and follow steps.
Encrypt Password in JBOSS
------------------------------------
1. Copy jks keystore to /hom/jboss in both Master and Slave
Bring down all controllers
2. 06-Oct-14@14:05:29-jboss@hostname1a:/rh/jboss/app1a/bin>./vault.sh
=====================================================================
JBoss Vault
JBOSS_HOME: /rh/jboss/app1a
JAVA: /usr/IBM/WebSphere/AppServer/java/bin/java
=====================================================================
**********************************
**** JBoss Vault ***************
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
1
1
Removing the current interactive session
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
Removing the current interactive session
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files:/home/jboss
Enter Keystore URL:/home/jboss/hostname1a.jks
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):44
Enter Keystore Alias:hostname1a
Initializing Vault
Oct 6, 2014 2:06:33 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in AS7 config file:
********************************************
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/jboss/hostname1a.jks"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-2exADfZEVkq4nkGflMRrtM"/>
<vault-option name="KEYSTORE_ALIAS" value="hostname1a"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="44"/>
<vault-option name="ENC_FILE_DIR" value="/home/jboss/"/>
</vault><management> ...
********************************************
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
0
Task: Store a secured attribute
Please enter secured attribute value (such as password):
Please enter secured attribute value (such as password) again:
Values match
Enter Vault Block:db2ds
Enter Attribute Name:db2ds
Secured attribute value has been stored in vault.
Please make note of the following:
********************************************
Vault Block:db2ds
Attribute Name:db2ds
Configuration should be done as follows:
VAULT::db2ds::db2ds::1
********************************************
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
1
Task: Verify whether a secured attribute exists
Enter Vault Block:db2ds
Enter Attribute Name:db2ds
A value exists for (db2ds, db2ds)
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
[2] + Stopped (SIGTSTP) ./vault.sh
You have mail in /usr/spool/mail/jboss
06-Oct-14@14:14:46-jboss@hostname1a:/rh/jboss/app1a/bin>
3. Add below Vault in both Domain and Host controller
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
FROM CLI
[domain@10.91.74.96:39999 /] /host=/host=master/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/jboss/a01sribapp3a.jks"),("KEYSTORE_PASSWORD" => "MASK-2exADfZEVkq4nkGflMRrtM"), ("KEYSTORE_ALIAS" => "a01sribapp3a"), ("SALT" => "12345678"), ("ITERATION_COUNT" => "44"), ("ENC_FILE_DIR" => "/home/jboss/")])
Manually
<vault>
<vault-option name="KEYSTORE_URL" value="/home/jboss/vaultks.jks"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-2exADfZEVkq4nkGflMRrtM"/>
<vault-option name="KEYSTORE_ALIAS" value="vaultks"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="44"/>
<vault-option name="ENC_FILE_DIR" value="/home/jboss/"/>
</vault><management> ...
4. Edit domain.xml and in place of password give ${VAULT::db2ds::db2ds::1}
5. Start Domain ,host controllers and servers test the connectivity
Note: There is no way we can decrypt the password that is encrypted using VALUE . We can only check the key value exist or not and update the new password .
No comments:
Post a Comment