Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- Configure Secure Connections for Client Browsers
- Configure CSA to Use a Trusted Certificate Authority-Signed or Subordinate Certificate Authority-Signed Certificate
- Configure CSA to Use a Certificate Authority-Signed Certificate and a Certificate Authority-Provided Keystore
- Configure CSA to Use an Internal Certificate Authority-Signed Certificate
- Configure CSA to Use a Self-Signed Certificate
- Configure CSA to Create a New Self-Signed Certificate for Global Search
- Masking Passwords in standalone.xml Using the JBoss vault Script
Masking Passwords in standalone.xml Using the JBoss vault Script
JBoss provides a script that allows passwords in the standalone.xml
file to be masked. The following tasks describe how to use the JBoss vault script and configure CSA to use the masked password.
-
Verify that the
JAVA_HOME
environment variable has been defined and thatJAVA_HOME
has been set to the directory in which the JRE that is used by CSA is installed (for example, on Windows:C:\Program Files\HPE\CSA\openjre
and on Linux:/usr/local/hpe/csa/openjre
).Note Do NOT enclose the value in quotation marks, even if the path name includes a space. The vault script will fail if the JAVA_HOME variable definition contains quotation marks.
To verify that
JAVA_HOME
has been defined, from a command prompt, type:echo JAVA_HOME
-
Create a keystore used by vault. This vault keystore is used to store the CSA keystore password.
Note This example saves the vault keystore and encrypted vault file in the
CSA_HOME/jboss-as/standalone/configuration/
directory (the contents of this directory are automatically backed up during an upgrade). You may choose to store the vault keystore and encrypted vault file in any location. However, you must remember to use those locations in subsequent steps in this task and, if those locations are not automatically backed up during upgrade, to manually back up the files before upgrade.-
Open a command prompt.
-
Run the following command:
Windows:
"CSA_JRE_HOME\bin\keytool" -genkey -alias vault -validity 365 -keyalg rsa
-keysize 2048 -keystore .\jboss-as\standalone\configuration\csa_vault.keystoreLinux:
CSA_JRE_HOME/bin/keytool -genkey -alias vault -validity 365 -keyalg rsa
-keysize 2048 -keystore ./jboss-as/standalone/configuration/csa_vault.keystorewhere
CSA_JRE_HOME
is the directory in which the JRE that is used by CSA is installedYou can use different values for
-alias
,-validity
,-keysize
and-keystore
. These instructions assume that you will use the-alias
and-keystore
values recommended here; you will have to adjust the commands accordingly if you use different values. -
Enter the vault keystore password (for example, csavault).
This password is used to control access to the vault keystore. This password must be the same as the password you enter for the key in step e of this task.
-
Follow the prompts to enter your first and last name, organization, and location values.
-
Enter the key password. Click Enter to use the vault keystore password you supplied earlier (for example, csavault).
Although
keytool
allows you to enter different passwords for the keystore and the key, the two passwords must be the same to work with CSA.
-
-
Run the vault script. The script will generate the masked password and the values to configure in the
standalone.xml
file to use the masked password.-
On Linux from the command prompt, make the vault script executable. Type:
chmod 775 CSA_HOME/jboss-as/bin/vault.sh
-
From the command prompt, type:
Windows:
CSA_HOME\jboss-as\bin\vault
Linux:
CSA_HOME/jboss-as/bin/vault.sh
-
Select 0 to start the interactive session.
-
Enter the following information, when prompted, to configure the vault keystore:
Prompt Description Directory to store encrypted files Directory in which the vault encrypted file is stored (for example,
CSA_HOME/jboss-as/standalone/configuration
).Verify that a vault encrypted file (
VAULT.dat
on Windows orENC.dat
on Linux) does not already exist in this directory. If the file exists, select a different directory.Keystore URL The name and location of the vault keystore (for example,
CSA_HOME/jboss-as/standalone/configuration/csa_vault.keystore
).Keystore password (twice) The password to the vault keystore (for example, csavault). 8 character salt A random number (for example, 12345678). Iteration count as a number The number of times the CSA keystore password is hashed (for example, 25). Keystore alias The alias used to identify the CSA keystore password in the vault keystore (for example, vault). -
Make a copy of the vault property block that is displayed. For example, copy:
Windows:
<vault>
<vault-option name="KEYSTORE_URL" value="CSA_HOME\jboss-as\standalone\configuration\csa_vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="25"/>
<vault-option name="ENC_FILE_DIR" value="CSA_HOME\jboss-as\standalone\configuration\"/>
</vault>Linux:
<vault>
<vault-option name="KEYSTORE_URL" value="CSA_HOME/jboss-as/standalone/configuration/csa_vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="25"/>
<vault-option name="ENC_FILE_DIR" value="CSA_HOME/jboss-as/standalone/configuration/"/>
</vault>You will need to add this content to the
standalone.xml
file (the exact location is described in a later step). - Select 0 to store a secured attribute.
-
Enter the following information, when prompted, to generate the vault entry to use for the CSA keystore password in the
standalone.xml
file:Prompt Description Secured attribute value (twice) Enter the CSA keystore password (for example, changeit). Vault Block Enter a name for the vault block (for example, csa_keystore). Attribute Name Enter the attribute being stored (for example, password). Note the VAULT entry (for example,
VAULT::csa_keystore::password::1
). You will need this value when you configure thestandalone.xml
file. - Enter 2 to exit the script.
Note The vault script converts the format of the vault keystore (for example, CSA_HOME/jboss-as/standalone/configuration/csa_vault.keystore) to JCEKS.
-
-
Open
CSA_HOME/jboss-as/standalone/configuration/standalone.xml
in a text editor. -
Locate the following entry for the CSA server keystore (this entry may have been modified):
<keystore path="CSA_HOME/jboss-as/standalone/configuration/.keystore" keystore‑password="changeit"/>
-
Update the entry by changing the value of the
keystore‑password
attribute to the vault entry you generated (for example,VAULT::csa_keystore::password::1
).For example:
Windows:
<keystore path="CSA_HOME\jboss-as\standalone\configuration\.keystore" keystore‑password="${VAULT::csa_keystore::password::1}"/>
Linux:
<keystore path="CSA_HOME/jboss-as/standalone/configuration/.keystore" keystore‑password="${VAULT::csa_keystore::password::1}"/>
Add the vault property block to <server xmlns="urn:jboss:domain:1.3">
after the system-properties
block. For example, using the example values, enter the following:
Windows:
<server xmlns="urn:jboss:domain:1.3">
.
.
.
<system-properties>
.
.
.
</system-properties>
<vault>
<vault-option name="KEYSTORE_URL" value="CSA_HOME\jboss-as\standalone\configuration\csa_vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="25"/>
<vault-option name="ENC_FILE_DIR" value="CSA_HOME\jboss-as\standalone\configuration\"/>
</vault>
Linux:
<server xmlns="urn:jboss:domain:1.3">
.
.
.
<system-properties>
.
.
.
</system-properties>
<vault>
<vault-option name="KEYSTORE_URL" value="CSA_HOME/jboss-as/standalone/configuration/csa_vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="25"/>
<vault-option name="ENC_FILE_DIR" value="CSA_HOME/jboss-as/standalone/configuration/"/>
</vault>
Note In a clustered environment, add the vault
xml entries in host.xml
as shown below.
For example, using the example value, enter the following:
Host.xml - <?xml version='1.0' encoding='UTF-8'?> <host name="master_node" xmlns="urn:jboss:domain:1.2">
<vault> <vault-option name="KEYSTORE_URL" value="CSA_HOME\jbossas\standalone\configuration\csa_vault.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/> <vault-option name="KEYSTORE_ALIAS" value="vault"/> <vault-option name="SALT" value="12345678"/> <vault-option name="ITERATION_COUNT" value="25"/> <vault-option name="ENC_FILE_DIR" value="CSA_HOME\jbossas\ standalone\configuration\"/> </vault> <management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> </security-realm> <security-realm name="ApplicationRealm"> <authentication> <properties path="application-users.properties" relative-to="jboss.domain.config.dir" /> </authentication> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface> <http-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.http.port:9990}"/> </http-interface> </management-interfaces> </management>
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to clouddocs@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: