Sunday, 12 March 2023

Encrypting DataSource password in JBoss EAP 7.1

 

It’s always a risk if you are storing plain-text passwords on the file system. By default, JBoss EAP6/7 data source passwords are stored in plaintext inside standalone.xml/domain.xml.

JBoss EAP6 uses picketbox security implementation for encrypting data source passwords.

Redhat Link -  https://access.redhat.com/solutions/184963

https://middlewaretechadmin.blogspot.com/2017/10/how-to-use-encrypted-passwords-in-eap67.html

 

JBoss EAP7.1 uses “elytron” subsystem allows using credential stores as secure storage for your credentials

Redhat Link -  https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/how_to_configure_server_security/securely_storing_credentials#credential_store

 

High level Steps to Encrypting DataSource Passwords

Step-1: Take the backup of standalone.xml file.

Step-2: Select the application to perform the DB password encryption and keep the DB  password handy from standalone.xml  file.

Step-3: Check Test connection for the particular DataSource (By Using CLI)

Step-4: Create a Credential Store  (By Using CLI).

Step-5 : Add a DB  password  to a Credential Store (By Using CLI).

Step-6:  Now disable the Data source, remove the password and use a Stored Credential  in DataSource configuration (By Using CLI)

Step-7: Now enable the DataSource and restart the application server. Make sure application is started without any errors.

Step-8: Check test connection for the DataSources. (By Using CLI)

 

Detailed Steps

  1. Check Test connection for the particular DataSource:

 /subsystem=datasources/data-source=eCore-DataSource:test-connection-in-pool

  1. Create a Credential Store

/subsystem=elytron/credential-store=my_store:add(location="credentials/csstore.jceks", relative-to=jboss.server.data.dir,  credential-reference={clear-text=mypassword},create=true)

        The above command has created a Credential Store named "csstore.jceks" in the "jboss.server.data.dir/credentials" using a clear text password named "mypassword".

        3. Add a DB  password  to a Credential Store.

/subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="secret")

The above command will add an alias into the credential store to reference the password ("secret") of DB user

4. Now disable the Data source

/subsystem=datasources/data-source=eCore-DataSource:disable

5. Remove the current plain text password from Data source configuration

  /subsystem=datasources/data-source=eCore-DataSource:undefine-attribute(name=password)

6. Add "credential-reference“ to Data source configuration  which points to your alias (which we created from step 3)

/subsystem=datasources/data-source=eCore-DataSource:write-attribute(name=credential-reference,value={store=my_store, alias=database-pw})

 we managed to replace correctly the password with a Credential Store reference.

7. Enable Datasource

/subsystem=datasources/data-source=eCore-DataSource:enable

8. Restart the app server &  Make sure application is started without any errors.

9. Check test connection for the DataSources, After app server started.

 /subsystem=datasources/data-source=eCore-DataSource:test-connection-in-pool

 Repeat  the above steps for other datasources.