! A simple login module for encrypting a datasource password
The org.jboss.resource.security.SecureIdentityLoginModule can be used to encrypt database passwords rather than using clear text passwords in the datasource configuration. It uses a hard-coded password to encrypt/decrypt the datasource password. You can encrypt the datasource password using the SecureIdentityLoginModule main method by passing in the cleartext password, here shown as 'password':
{{{
[starksm@banshee jboss-3.2.5]$ java -cp 'lib/jboss-jmx.jar;lib/jboss-common.jar;server/default/deploy/jboss-jca.sar;server/default/lib/jbosssx.jar'
org.jboss.resource.security.SecureIdentityLoginModule password
Encoded password: 5dfc52b51bd35553df8592078de921bc
}}}
The datasource *-ds.xml should then not use the user-name and password settings, and instead specify the security-domain that maps to the login-config.xml entry for the SecureIdentityLoginModule config.
{{{
DefaultDS
jdbc:oracle:thin:@dev-db:1000:abc
oracle.jdbc.driver.OracleDriver
5000
15
20
10
EncryptDBPassword
}}}
The login-config.xml entry for the EncryptDBPassword would look like:
{{{
admin
5dfc52b51bd35553df8592078de921bc
jboss.jca:service=LocalTxCM,name=DefaultDS
}}}
! A KeyStore based login module for encrypting a datasource password
The org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule is
a login module for statically defining a data source username and password
that uses a password that has been ecrypted by a JaasSecurityDomain. The
base64 format of the data source password may be generated using the PBEUtils
command:
{{{
java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils salt count
domain-password data-source-password
}}}
The PBEUtils command args are:
* salt : the Salt attribute from the JaasSecurityDomain
* count : the IterationCount attribute from the JaasSecurityDomain
* domain-password : the plaintext password that maps to the KeyStorePass
attribute from the JaasSecurityDomain
* data-source-password : the plaintext password for the data source that
should be encrypted with the JaasSecurityDomain password
for example:
{{{
java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils abcdefgh 13 master ''
Encoded password: E5gtGMKcXPP
}}}
A sample login-config.xml configuration entry would be:
{{{
sa
E5gtGMKcXPP
jboss.jca:service=LocalTxCM,name=DefaultDS
jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword
}}}
The docs/examples/jca/hsqldb-encrypted-ds.xml illustrates that datasource configuration along with the
JaasSecurityDomain configuration for the keystore:
{{{
DefaultDS
jdbc:hsqldb:${jboss.server.data.dir}${/}hypersonic${/}localDB
org.hsqldb.jdbcDriver
5
20
0
EncryptedHsqlDbRealm
jboss:service=Hypersonic,database=localDB
{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password
abcdefgh
13
localDB
true
}}}
!jboss-4.0.0DR3?
Looking in jbosssx.jar, the classes described here(org.jboss.resource.security.SecureIdentityLoginModule, org.jboss.security.plugins.PBEUtils) do not exist. How does one go about setting this up in jboss 4? I need to set up a oracle-ds.xml for jboss 4, the DBA's know the db password and the SA's have the root password (for deploying on the prod jboss server), so plain text passwords are unacceptable.