4 Replies Latest reply: Dec 20, 2011 11:06 AM by Dmitri Voronov RSS

    AS7: Sensitive Attributes Masking

    Anil Saldanha Master

      We can extend masking of passwords to all attributes that the user determines to be sensitive and not be displayed in clear text in the configuration files.


      There are two entities:

      a) Sensitive Attribute Holder (SAH).

      b) Requesting Party (RP).


      The "SAH" will securely hold all the sensitive attributes in one place. Ideally using AES256+ type encryption.


      The Requesting Party is an entity in the AS that wants to get access to the secure attribute.


      The challenge is to ensure the authenticity of the RP.


      How do we know RP is the real owner of the attribute?


      Some thoughts:

      1. We can provide a shared key to the RP via an offline tool. The RP will configure the shared key (how do we secure this shared key?).
      2. When the RP asks for the attribute, we can check the package of the RP and ensure that it matches the package that was used in generation of the shared key provided.



      1. Potential extension by security ISVs.
      2. Simple intuitive strategy.



        • 1. Re: AS7: Sensitive Attributes Masking
          Anil Saldanha Master

          The security schema in AS7.1 has a new vault element that can be used to configure the attribute vault.  An offline tool is needed to interact with the vault to store the attributes.  The AS is supposed to be a read only customer of the vault.


          The proposal is to create bin/vault.sh   (vault.bat)   to interact with the default implementation of the vault.

          • 2. Re: AS7: Sensitive Attributes Masking
            Anil Saldanha Master


            ****  JBoss Vault ********


            Please enter a Digit::   0: Start Interactive Session  1: Remove Interactive Session  2: Exit


            Starting an interactive session

            Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/

            Enter Keystore URL:/home/anil/vault/vault.keystore

            Enter Keystore password:

            Enter Keystore password again:

            Password match

            Enter 8 character salt:12345678

            Enter iteration count as a number (Eg: 44):50


            Please make note of the following:


            Masked Password:MASK-5WNXs8oEbrs


            Iteration Count:50



            Enter Keystore Alias:vault

            Sep 20, 2011 4:23:40 PM org.jboss.security.vault.SecurityVaultFactory get

            INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault

            Obtained Vault

            Intializing Vault

            Vault is initialized and ready for use

            Handshake with Vault complete

            Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit


            Task:  Store a password

            Please enter attribute value:

            Please enter attribute value again:

            Password match

            Enter Vault Block:messaging

            Enter Attribute Name:pass

            Attribute Value for (messaging, pass) saved

            Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit


            Task: Verify whether a password exists

            Enter Vault Block:messaging

            Enter Attribute Name:pass

            A value exists for (messaging, pass)

            Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit


            • 3. Re: AS7: Sensitive Attributes Masking
              Dmitri Voronov Novice

              Hi all,


              I'm currently trying to apply vault for DataSource' password in JBoss AS 7.1.0.Beta1 as described in Wiki http://community.jboss.org/wiki/JBossAS7SecuringPasswords but doesn't work. I get following exception:


              10:23:41,265 ERROR [org.jboss.as.controller] (ServerService Thread Pool -- 47) JBAS014612: Operation ("enable") failed - address: ([

                  ("subsystem" => "datasources"),

                  ("data-source" => "java:jboss/jdbc/MSSQLDataSource-PROD")

              ]): java.lang.SecurityException: org.jboss.security.vault.SecurityVaultException: PB00027: Vault Mismatch:Shared Key does not match for vault block:MSSQLDataSource and attributeName:password

                  at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:98) [jboss-as-server-7.1.0.Beta1.jar:]

                  at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45) [jboss-as-server-7.1.0.Beta1.jar:]

                  at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:58) [jboss-as-controller-7.1.0.Beta1.jar:]



              My configuration:


              I put vault configuration in standalone in the server scope:


                <vault-option name="KEYSTORE_URL" value="C:/eplatform/jboss/AS-7.0/standalone/configuration/vault.keystore"/>
                <vault-option name="KEYSTORE_PASSWORD" value="MASK-8mj0bd6g0iq"/>
                <vault-option name="KEYSTORE_ALIAS" value="vault"/>
                <vault-option name="SALT" value="12345678"/>
                <vault-option name="ITERATION_COUNT" value="42"/>
                <vault-option name="ENC_FILE_DIR" value="C:/eplatform/jboss/AS-7.0/standalone/data/"/>



              and the DataSource' password value:




              Thanks and regards

              • 4. Re: AS7: Sensitive Attributes Masking
                Dmitri Voronov Novice



                I found out the origin: I had to complete the expression for password with semicolon (;)

                But now I have another issue. At the moment I put <vault> config into server scope.









                The server starts up, vault is initialized and the DS password is decrypted; everything works. But JBoss configuration is dumped back to standalone.xml and <vault> disappears:




                Where shall I put <vault> configuration?