4 Replies Latest reply: Dec 20, 2011 11:06 AM by Dmitri Voronov RSS

AS7: Sensitive Attributes Masking

Anil Saldhana Master

We can extend masking of passwords to all attributes that the user determines to be sensitive and not be displayed in clear text in the configuration files.

 

There are two entities:

a) Sensitive Attribute Holder (SAH).

b) Requesting Party (RP).

 

The "SAH" will securely hold all the sensitive attributes in one place. Ideally using AES256+ type encryption.

 

The Requesting Party is an entity in the AS that wants to get access to the secure attribute.

 

The challenge is to ensure the authenticity of the RP.

 

How do we know RP is the real owner of the attribute?

 

Some thoughts:

  1. We can provide a shared key to the RP via an offline tool. The RP will configure the shared key (how do we secure this shared key?).
  2. When the RP asks for the attribute, we can check the package of the RP and ensure that it matches the package that was used in generation of the shared key provided.

 

Requirements:

  1. Potential extension by security ISVs.
  2. Simple intuitive strategy.

JIRA:

https://issues.jboss.org/browse/AS7-1622

  • 1. Re: AS7: Sensitive Attributes Masking
    Anil Saldhana Master

    The security schema in AS7.1 has a new vault element that can be used to configure the attribute vault.  An offline tool is needed to interact with the vault to store the attributes.  The AS is supposed to be a read only customer of the vault.

     

    The proposal is to create bin/vault.sh   (vault.bat)   to interact with the default implementation of the vault.

  • 2. Re: AS7: Sensitive Attributes Masking
    Anil Saldhana Master

    **********************************

    ****  JBoss Vault ********

    **********************************

    Please enter a Digit::   0: Start Interactive Session  1: Remove Interactive Session  2: Exit

    0

    Starting an interactive session

    Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/

    Enter Keystore URL:/home/anil/vault/vault.keystore

    Enter Keystore password:

    Enter Keystore password again:

    Password match

    Enter 8 character salt:12345678

    Enter iteration count as a number (Eg: 44):50

                   

    Please make note of the following:

    ********************************************

    Masked Password:MASK-5WNXs8oEbrs

    salt:12345678

    Iteration Count:50

    ********************************************

                   

    Enter Keystore Alias:vault

    Sep 20, 2011 4:23:40 PM org.jboss.security.vault.SecurityVaultFactory get

    INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault

    Obtained Vault

    Intializing Vault

    Vault is initialized and ready for use

    Handshake with Vault complete

    Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit

    0

    Task:  Store a password

    Please enter attribute value:

    Please enter attribute value again:

    Password match

    Enter Vault Block:messaging

    Enter Attribute Name:pass

    Attribute Value for (messaging, pass) saved

    Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit

    1

    Task: Verify whether a password exists

    Enter Vault Block:messaging

    Enter Attribute Name:pass

    A value exists for (messaging, pass)

    Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit

    2

  • 3. Re: AS7: Sensitive Attributes Masking
    Dmitri Voronov Novice

    Hi all,

     

    I'm currently trying to apply vault for DataSource' password in JBoss AS 7.1.0.Beta1 as described in Wiki http://community.jboss.org/wiki/JBossAS7SecuringPasswords but doesn't work. I get following exception:

     

    10:23:41,265 ERROR [org.jboss.as.controller] (ServerService Thread Pool -- 47) JBAS014612: Operation ("enable") failed - address: ([

        ("subsystem" => "datasources"),

        ("data-source" => "java:jboss/jdbc/MSSQLDataSource-PROD")

    ]): java.lang.SecurityException: org.jboss.security.vault.SecurityVaultException: PB00027: Vault Mismatch:Shared Key does not match for vault block:MSSQLDataSource and attributeName:password

        at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:98) [jboss-as-server-7.1.0.Beta1.jar:]

        at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45) [jboss-as-server-7.1.0.Beta1.jar:]

        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:58) [jboss-as-controller-7.1.0.Beta1.jar:]

    ...

     

    My configuration:

     

    I put vault configuration in standalone in the server scope:

     

    <vault>
      <vault-option name="KEYSTORE_URL" value="C:/eplatform/jboss/AS-7.0/standalone/configuration/vault.keystore"/>
      <vault-option name="KEYSTORE_PASSWORD" value="MASK-8mj0bd6g0iq"/>
      <vault-option name="KEYSTORE_ALIAS" value="vault"/>
      <vault-option name="SALT" value="12345678"/>
      <vault-option name="ITERATION_COUNT" value="42"/>
      <vault-option name="ENC_FILE_DIR" value="C:/eplatform/jboss/AS-7.0/standalone/data/"/>
    </vault>

     

     

    and the DataSource' password value:

    <password>
                            ${VAULT::MSSQLDataSource::password::MmUxNzU1MjgtYWM1Mi00MzZmLThlZTctZGIxNzE4ZGQ3ZWZlTElORV9CUkVBS3ZhdWx0}
    </password>

     

     

    Thanks and regards

  • 4. Re: AS7: Sensitive Attributes Masking
    Dmitri Voronov Novice

    Hi,

     

    I found out the origin: I had to complete the expression for password with semicolon (;)

    But now I have another issue. At the moment I put <vault> config into server scope.

    ...

    </extensions>

     

    <vault>

    ...

    </vault>

    <management>

    ...

    The server starts up, vault is initialized and the DS password is decrypted; everything works. But JBoss configuration is dumped back to standalone.xml and <vault> disappears:

    <vault/>

     

     

    Where shall I put <vault> configuration?

     

    Thanks