Masking Passwords in standalone.xml Using the JBoss vault Script

JBoss provides a script that allows passwords in the standalone.xml file to be masked. The following tasks describe how to use the JBoss vault script and configure CSA to use the masked password.

  1. Verify that the JAVA_HOME environment variable has been defined and that JAVA_HOME has been set to the directory in which the JRE that is used by CSA is installed (for example, on Windows: C:\Program Files\HPE\CSA\openjre and on Linux: /usr/local/hpe/csa/openjre).

    Note Do NOT enclose the value in quotation marks, even if the path name includes a space. The vault script will fail if the JAVA_HOME variable definition contains quotation marks.

    To verify that JAVA_HOME has been defined, from a command prompt, type:

    echo JAVA_HOME

  2. Create a keystore used by vault. This vault keystore is used to store the CSA keystore password.

    Note This example saves the vault keystore and encrypted vault file in the CSA_HOME/jboss-as/standalone/configuration/ directory (the contents of this directory are automatically backed up during an upgrade). You may choose to store the vault keystore and encrypted vault file in any location. However, you must remember to use those locations in subsequent steps in this task and, if those locations are not automatically backed up during upgrade, to manually back up the files before upgrade.

    1. Open a command prompt.

    2. Run the following command:

      Windows:

      "CSA_JRE_HOME\bin\keytool" -genkey -alias vault -validity 365 -keyalg rsa
      -keysize 2048 -keystore .\jboss-as\standalone\configuration\csa_vault.keystore

      Linux:

      CSA_JRE_HOME/bin/keytool -genkey -alias vault -validity 365 -keyalg rsa
      -keysize 2048 -keystore ./jboss-as/standalone/configuration/csa_vault.keystore

      where

      CSA_JRE_HOME is the directory in which the JRE that is used by CSA is installed

      You can use different values for -alias, -validity, -keysize and -keystore. These instructions assume that you will use the -alias and -keystore values recommended here; you will have to adjust the commands accordingly if you use different values.

    3. Enter the vault keystore password (for example, csavault).

      This password is used to control access to the vault keystore. This password must be the same as the password you enter for the key in step e of this task.

    4. Follow the prompts to enter your first and last name, organization, and location values.

    5. Enter the key password. Click Enter to use the vault keystore password you supplied earlier (for example, csavault).

      Although keytool allows you to enter different passwords for the keystore and the key, the two passwords must be the same to work with CSA.

  3. Run the vault script. The script will generate the masked password and the values to configure in the standalone.xml file to use the masked password.

    1. On Linux from the command prompt, make the vault script executable. Type: chmod 775 CSA_HOME/jboss-as/bin/vault.sh

    2. From the command prompt, type:

      Windows:

      CSA_HOME\jboss-as\bin\vault

      Linux:

      CSA_HOME/jboss-as/bin/vault.sh

    3. Select 0 to start the interactive session.

    4. Enter the following information, when prompted, to configure the vault keystore:

      Prompt Description
      Directory to store encrypted files

      Directory in which the vault encrypted file is stored (for example, CSA_HOME/jboss-as/standalone/configuration).

      Verify that a vault encrypted file (VAULT.dat on Windows or ENC.dat on Linux) does not already exist in this directory. If the file exists, select a different directory.
      Keystore URL

      The name and location of the vault keystore (for example, CSA_HOME/jboss-as/standalone/configuration/csa_vault.keystore).

      Keystore password (twice) The password to the vault keystore (for example, csavault).
      8 character salt A random number (for example, 12345678).
      Iteration count as a number The number of times the CSA keystore password is hashed (for example, 25).
      Keystore alias The alias used to identify the CSA keystore password in the vault keystore (for example, vault).

    5. Make a copy of the vault property block that is displayed. For example, copy:

      Windows:

      <vault>
         <vault-option name="KEYSTORE_URL" value="CSA_HOME\jboss-as\standalone\configuration\csa_vault.keystore"/>
         <vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/>
         <vault-option name="KEYSTORE_ALIAS" value="vault"/>
         <vault-option name="SALT" value="12345678"/>
         <vault-option name="ITERATION_COUNT" value="25"/>
         <vault-option name="ENC_FILE_DIR" value="CSA_HOME\jboss-as\standalone\configuration\"/>
      </vault>

      Linux:

      <vault>
         <vault-option name="KEYSTORE_URL" value="CSA_HOME/jboss-as/standalone/configuration/csa_vault.keystore"/>
         <vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/>
         <vault-option name="KEYSTORE_ALIAS" value="vault"/>
         <vault-option name="SALT" value="12345678"/>
         <vault-option name="ITERATION_COUNT" value="25"/>
         <vault-option name="ENC_FILE_DIR" value="CSA_HOME/jboss-as/standalone/configuration/"/>
      </vault>

      You will need to add this content to the standalone.xml file (the exact location is described in a later step).

    6. Select 0 to store a secured attribute.

    7. Enter the following information, when prompted, to generate the vault entry to use for the CSA keystore password in the standalone.xml file:

      Prompt Description
      Secured attribute value (twice) Enter the CSA keystore password (for example, changeit).
      Vault Block Enter a name for the vault block (for example, csa_keystore).
      Attribute Name Enter the attribute being stored (for example, password).

      Note the VAULT entry (for example, VAULT::csa_keystore::password::1). You will need this value when you configure the standalone.xml file.

    8. Enter 2 to exit the script.

    Note The vault script converts the format of the vault keystore (for example, CSA_HOME/jboss-as/standalone/configuration/csa_vault.keystore) to JCEKS.

  4. Open CSA_HOME/jboss-as/standalone/configuration/standalone.xml in a text editor.

  5. Locate the following entry for the CSA server keystore (this entry may have been modified):

    <keystore path="CSA_HOME/jboss-as/standalone/configuration/.keystore" keystore‑password="changeit"/>

  6. Update the entry by changing the value of the keystore‑password attribute to the vault entry you generated (for example, VAULT::csa_keystore::password::1).

    For example:

    Windows:

    <keystore path="CSA_HOME\jboss-as\standalone\configuration\.keystore" keystore‑password="${VAULT::csa_keystore::password::1}"/>

    Linux:

    <keystore path="CSA_HOME/jboss-as/standalone/configuration/.keystore" keystore‑password="${VAULT::csa_keystore::password::1}"/>

Add the vault property block to <server xmlns="urn:jboss:domain:1.3"> after the system-properties block. For example, using the example values, enter the following:

Windows:

<server xmlns="urn:jboss:domain:1.3">
.
.
.
<system-properties>
.
.
.
</system-properties>
<vault>
   <vault-option name="KEYSTORE_URL" value="CSA_HOME\jboss-as\standalone\configuration\csa_vault.keystore"/>
   <vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/>
   <vault-option name="KEYSTORE_ALIAS" value="vault"/>
   <vault-option name="SALT" value="12345678"/>
   <vault-option name="ITERATION_COUNT" value="25"/>
   <vault-option name="ENC_FILE_DIR" value="CSA_HOME\jboss-as\standalone\configuration\"/>
</vault>

Linux:

<server xmlns="urn:jboss:domain:1.3">
.
.
.
<system-properties>
.
.
.
</system-properties>
<vault>
   <vault-option name="KEYSTORE_URL" value="CSA_HOME/jboss-as/standalone/configuration/csa_vault.keystore"/>
   <vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/>
   <vault-option name="KEYSTORE_ALIAS" value="vault"/>
   <vault-option name="SALT" value="12345678"/>
   <vault-option name="ITERATION_COUNT" value="25"/>
   <vault-option name="ENC_FILE_DIR" value="CSA_HOME/jboss-as/standalone/configuration/"/>
</vault>

Note In a clustered environment, add the vault xml entries in host.xml as shown below.

For example, using the example value, enter the following:

Host.xml -
<?xml version='1.0' encoding='UTF-8'?>
<host name="master_node" xmlns="urn:jboss:domain:1.2">
<vault>
<vault-option name="KEYSTORE_URL" value="CSA_HOME\jbossas\standalone\configuration\csa_vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="25"/>
<vault-option name="ENC_FILE_DIR" value="CSA_HOME\jbossas\
standalone\configuration\"/>
</vault>

<management>
        <security-realms>
           <security-realm name="ManagementRealm">
              <authentication>
                 <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
              </authentication>
           </security-realm>
           <security-realm name="ApplicationRealm">
              <authentication>
                 <properties path="application-users.properties" relative-to="jboss.domain.config.dir" />
              </authentication>
           </security-realm>
        </security-realms>
        <management-interfaces>
           <native-interface security-realm="ManagementRealm">
              <socket interface="management" port="${jboss.management.native.port:9999}"/>
           </native-interface>
           <http-interface security-realm="ManagementRealm">
              <socket interface="management" port="${jboss.management.http.port:9990}"/>
           </http-interface>
        </management-interfaces>
</management>

Send Help Center feedback