Storing datasource password in Vault - Domain Mode
diegossilveira Jan 30, 2012 7:32 PMHello,
I'm trying to store my xa-datasources' passwords encrypted in VAULT. My JBoss is 7.1.0.CR1b and I followed the directions as explained here: https://community.jboss.org/wiki/JBossAS7SecuringPasswords
The problem is that when I start JBoss in domain mode, I get the following exception:
18:04:28,424 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 51) JBAS014612: Operation ("enable") failed - address: ([ ("subsystem" => "datasources"), ("xa-data-source" => "dbpd03") ]): java.lang.SecurityException: Vault is not initialized at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:97) at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:58) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:40) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:414) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:622) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] at org.jboss.as.controller.ParallelBootOperationContext.resolveExpressions(ParallelBootOperationContext.java:263) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.getResolvedStringIfSetOrGetDefault(DataSourceModelNodeUtil.java:359) at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.xaFrom(DataSourceModelNodeUtil.java:228) at org.jboss.as.connector.subsystems.datasources.DataSourceEnable$1.execute(DataSourceEnable.java:101) at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:311) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_25] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_25] at java.lang.Thread.run(Thread.java:662) [:1.6.0_25] at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.0.0.GA.jar:2.0.0.GA]
$JBOSS_HOME/domain/configuration/host.xml
<?xml version='1.0' encoding='UTF-8'?> <host name="pdmaster" xmlns="urn:jboss:domain:1.1"> <vault> <vault-option name="KEYSTORE_URL" value="/usr/local/jboss/vault.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-XXXXXXXXXX"/> <vault-option name="KEYSTORE_ALIAS" value="vault"/> <vault-option name="SALT" value="12345678"/> <vault-option name="ITERATION_COUNT" value="50"/> <vault-option name="ENC_FILE_DIR" value="/usr/local/jboss/"/> </vault> .... <servers> <server name="pd-master-vserver01" group="pd-server-group" auto-start="true"> </server> <server name="pd-master-vserver02" group="pd-server-group" auto-start="true"> <socket-bindings port-offset="100"/> </server> <server name="pd-master-vserver03" group="pd-server-group" auto-start="true"> <socket-bindings port-offset="200"/> </server> </servers> </host>
$JBOSS_HOME/domain/configuration/domain.xml
<domain xmlns="urn:jboss:domain:1.1"> ... <subsystem xmlns="urn:jboss:domain:datasources:1.0"> <datasources> <!-- DBPD03 --> <xa-datasource jndi-name="java:jboss/datasources/dbpd03DS" pool-name="dbpd03" enabled="true" use-ccm="false"> <xa-datasource-property name="URL">jdbc:mysql://pdbd-ldr-01/dbpd03?autoReconnect=true</xa-datasource-property> <driver>mysql</driver> <xa-pool> <min-pool-size>2</min-pool-size> <max-pool-size>10</max-pool-size> <prefill>true</prefill> <is-same-rm-override>false</is-same-rm-override> <interleaving>false</interleaving> <pad-xid>false</pad-xid> <wrap-xa-resource>false</wrap-xa-resource> </xa-pool> <security> <user-name>pd_api</user-name> <password>${VAULT::dbpd03DS::password::YWU2NTAxZmYtMGEyZi00ZjI2LWI5MmMtNDk5OGYxZjJlYzVkTElORV9CUkVBS3ZhdWx0;}</password> </security> <validation> <validate-on-match>false</validate-on-match> <background-validation>false</background-validation> <background-validation-millis>0</background-validation-millis> </validation> <statement> <prepared-statement-cache-size>0</prepared-statement-cache-size> <share-prepared-statements>false</share-prepared-statements> </statement> </xa-datasource> <drivers> <driver name="mysql" module="com.mysql"> <driver-class> com.mysql.jdbc.Driver </driver-class> <xa-datasource-class> com.mysql.jdbc.jdbc2.optional.MysqlXADataSource </xa-datasource-class> </driver> </drivers> </datasources> </subsystem> ... </host>
It's important to say that in standalone mode, my keystore and datasources' encrypted passwords work fine. I noticed that in domain mode, even if I ommit the <vault> tag in host.xml, I got exactly the same error / exception.
Is there any error in my domain configuration files?
Thank you in advance!