It’s always a risk if you are storing plain-text passwords on
the file system. A good system administrating practice is to make sure that
passwords are always stored in encrypted form. By default JBoss EAP6 data
source passwords are stored in plaintext inside standalone.xml/domain.xml.
JBoss EAP6 uses picketbox security implementation for encrypting data source
passwords.
In this post we will see step-by-step process to Encrypt Data
Source Passwords in JBoss EAP6 or 7.
Download the following script and store it in a location such
as /JBOSS_HOME/bin. Provide the file permissions and ownership for this script
as you see fit. In this example, they are:
#!/bin/sh
# Script Name
: Datasource-password.sh
############################################################
#Make your changes
here only
export
JAVA_HOME="/usr/java/jdk1.8.0_121"
export
PATH=/usr/java/jdk1.8.0_121/bin:$PATH
JBOSS_HOME="/u02/jboss/jboss-eap-7.0"
OVERLAY_DIRECTORY="$JBOSS_HOME/modules/system/layers/base/.overlays"
#############################################################
echo ""
read -p
"Please enter the password to be encrypted : " PASSWORD
echo ""
if [ -d
"$OVERLAY_DIRECTORY" ]; then
PATCH_SUBDIRECTORY=$(ls -dt
$OVERLAY_DIRECTORY/* | grep "CP" | head -n 1)
echo patch subdirectory is:
"$PATCH_SUBDIRECTORY"
SEARCH_DIRECTORY="$PATCH_SUBDIRECTORY/org/picketbox/main"
else
SEARCH_DIRECTORY="$JBOSS_HOME/modules/system/layers/base/org/picketbox/main"
fi
export
CLASSPATH=$(find $(cd "$SEARCH_DIRECTORY"; pwd) -name
"*.jar" -print | tr '\n' ':')$CLASSPATH
echo -e
"\x1b[31m----------------------------------------------------\033[0m\e[0m"
java
org.picketbox.datasource.security.SecureIdentityLoginModule
"$PASSWORD"
echo -e
"\x1b[31m----------------------------------------------------\033[0m\e[0m"
echo ""
|
1. Encrypt the database password by running the above script:
Now we have encrypted database
password.
2.
In
your JBoss configuration file i.e. standalone.xml or domain.xml create a
security-domain in the security subsystem, specifying the encrypted database
password
<security-domain name="encryptedSecurityDomain"
cache-type="default">
<authentication>
<login-module
code="org.picketbox.datasource.security.SecureIdentityLoginModule"
flag="required">
<module-option
name="username" value="dbUserName"/>
<module-option
name="password" value="4e74076d773dcbe48f534e004d35e2de"/>
</login-module>
</authentication>
</security-domain>
|
The above can be done via the following CLI commands in standalone server (for domain mode add /profile=<Profile-Name> to the beginning of each command):
/subsystem=security/security-domain=encryptedSecurityDomain:add(cache-type=default)
/subsystem=security/security-domain=encryptedSecurityDomain/authentication=classic:add
/subsystem=security/security-domain=encryptedSecurityDomain/authentication=classic/login-module="encryptedSecurityDomain-Module":add(code="org.picketbox.datasource.security.SecureIdentityLoginModule",flag=required,
module-options={"username" => "dbUserName",
"password" => "4e74076d773dcbe48f534e004d35e2de"})
|
3. Define the security domain in DataSource configuration.
Stop the respective application servers and disable the Datasource
and add the security domain as below and remove the username and password:
The above can be done via the
following CLI commands
Disable the data-source
[domain@192.168.1.12:9999 /]
/profile=better/subsystem=datasources/data-source=BetterDS:disable
{
"outcome" => "success",
"result" => undefined,
"server-groups" => undefined
}
Undefined the password attribute
[domain@192.168.1.12:9999 /]
/profile=better/subsystem=datasources/data-source=BetterDS:undefine-attribute(name=password)
{
"outcome" => "success",
"result" => undefined,
"server-groups" => undefined
}
Undefined the user-name attribute
[domain@192.168.1.12:9999 /]
/profile=better/subsystem=datasources/data-source=BetterDS:undefine-attribute(name=user-name)
{
"outcome" => "success",
"result" => undefined,
"server-groups" => undefined
}
Add the security-domain attribute to DataSource
[domain@192.168.1.12:9999 /]
/profile=better/subsystem=datasources/data-source=BetterDS:write-attribute(name=security-domain,
value=encryptedSecurityDomain)
{
"outcome" => "success",
"result" => undefined,
"server-groups" => undefined
}
Enable the DataSource :
[domain@192.168.1.12:9999 /]
/profile=better/subsystem=datasources/data-source=BetterDS:enable
{
"outcome" => "success",
"result" => undefined,
"server-groups" => undefined
}
[domain@192.168.1.12:9999 /]
|
4. Start the application servers and check test connection for the DataSource:
[domain@192.168.1.12:9999 /]
/host=slave01/server=better-as1/subsystem=datasources/data-source=BetterDS:test-connection-in-pool()
{
"outcome" => "success",
"result" => [true]
}
|
IF your configuration is correct, you should see the below
output in JBoss logs which indicates that the Data Source was registered
without any issues
02:55:21,486 INFO
[org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1)
JBAS010400: Bound data source [java:/BetterDS]
Additional Information
For 2
different Datasources configured in the same profile, create separate
security-domain with respective username and encrypted password.
5. DataSource credentials update in Security domain :
If you want to change Databse credentials in Security domain, First get the Encoded_password of DB password with above script and run/use below CLI command
Syntax : /profile=<Profile-Name>/subsystem=security/security-domain=encryptedSecurityDomain/authentication=classic/login-module=encryptedSecurityDomain-Module:write-attribute(name=module-options, value={"username" => "<DB-User>", "password" => "<Encoded_password>"})
Example :
[domain@192.168.1.12:9999 /]
/profile=better/subsystem=security/security-domain=encryptedSecurityDomain/authentication=classic/login-module=encryptedSecurityDomain-Module:write-attribute(name=module-options,
value={"username" => "BetterDB1", "password"
=> "6127123fdd287b2d872fda70df0c80b9"})
{
"outcome" => "success",
"result" => undefined,
"server-groups" => undefined
}
|
For More Info :: https://access.redhat.com/solutions/184963
No comments:
Post a Comment