It’s always a risk if you are storing plain-text passwords
on the file system. By default, JBoss EAP6/7 data source passwords are stored
in plaintext inside standalone.xml/domain.xml.
JBoss EAP6 uses picketbox security implementation for
encrypting data source passwords.
Redhat Link - https://access.redhat.com/solutions/184963
https://middlewaretechadmin.blogspot.com/2017/10/how-to-use-encrypted-passwords-in-eap67.html
JBoss EAP7.1 uses “elytron” subsystem allows using credential stores as secure storage for
your credentials
High level Steps to Encrypting DataSource Passwords
Step-1: Take the
backup of standalone.xml file.
Step-2: Select the
application to perform the DB password encryption and keep the DB password handy from standalone.xml file.
Step-3: Check Test
connection for the particular DataSource (By Using CLI)
Step-4: Create a
Credential Store (By Using CLI).
Step-5 : Add a DB password
to a Credential Store (By
Using CLI).
Step-6: Now disable the Data source,
remove the password and use a Stored Credential
in DataSource configuration (By Using CLI)
Step-7: Now enable the
DataSource and restart the application server. Make sure application is started
without any errors.
Step-8: Check test connection for the DataSources. (By Using
CLI)
Detailed Steps
- Check
Test connection for the particular DataSource:
/subsystem=datasources/data-source=eCore-DataSource:test-connection-in-pool
- Create
a Credential Store
/subsystem=elytron/credential-store=my_store:add(location="credentials/csstore.jceks",
relative-to=jboss.server.data.dir,
credential-reference={clear-text=mypassword},create=true)
The above command has created a
Credential Store named "csstore.jceks" in the
"jboss.server.data.dir/credentials" using a clear text password named
"mypassword".
3. Add a DB password
to a Credential
Store.
/subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw,
secret-value="secret")
The above
command will add an alias into the credential store to reference the password
("secret") of DB user
4. Now disable the Data source
/subsystem=datasources/data-source=eCore-DataSource:disable
5. Remove the current plain text password from Data
source configuration
/subsystem=datasources/data-source=eCore-DataSource:undefine-attribute(name=password)
6. Add "credential-reference“ to Data source configuration which points to your alias (which we created from step 3)
/subsystem=datasources/data-source=eCore-DataSource:write-attribute(name=credential-reference,value={store=my_store,
alias=database-pw})
we managed to replace correctly
the password with a Credential Store reference.
7. Enable Datasource
/subsystem=datasources/data-source=eCore-DataSource:enable
8. Restart the app server & Make sure application is started without any
errors.
9. Check test connection for the DataSources, After app
server started.
/subsystem=datasources/data-source=eCore-DataSource:test-connection-in-pool
Repeat the above steps for other datasources.
