Gregory Charles writes: (as a comment at https://community.jboss.org/wiki/JBossAS7SecuringPasswords#comment-8828)
his seems to me to solve a problem we didn't have. In JBoss 7.0.2, I was able to encrypt the database password with this:
java -cp %JBOSS_HOME%\modules\org\picketbox\main\picketbox-4.0.1.jar;%JBOSS_HOME%\modules\org\jboss\logging\main\jboss-logging-3.0.1.GA.jar org.picketbox.datasource.security.SecureIdentityLoginModule password-to-encrypt
I don't need a "Vault" to hold the database password. Why would I?
What I do need is a way to encrypt the password into the Java keystore that holds the site certifcate used to enable https connections. I could do this in JBoss 4.2.3, but that mechanism no longer exists in JBoss 7. It's not at all clear to me from this article that the Vault helps me do this, or how I would make it work.
I am wondering why his approach does not work. The SecureIdentityLoginModule would decrypt the password and then use on the DataSource ManagedConnection. The DataSource only sees if the string is of vault format. If yes, then gets it from the vault. It is passed a string, then it just accepts it as a password.
My (*) approach actually does work, at least on JBoss 7.02, although I do configure it through standalone.xml rather than with annotations. Here's the relevant parts on standalone.xhtml. (I've obfuscated a bit, but hopefully haven't changed the meaning.)
<datasource jndi-name="java:jboss/jdbc/MyDataSourceDS" pool-name="MyPool" enabled="true" jta="true" use-java-context="false" use-ccm="true">
<security-domain name="my-domain-ds" cache-type="default">
<login-module code="SecureIdentity" flag="required">
<module-option name="username" value="jboss"/>
<module-option name="password" value="-338d795ddfc81956fa143bd954f57903"/>
The value of for password is what I got back from the picketbox call.
Basically, I don't understand the vault. You get a masked password that gets you into vault.keystore, and an encrypted password that lets you get to the specific entry? Is that more secure than just decrypting the encrypted password like JBoss has always done?
Oh, and as long as I've got your ear, please does anyone know how to encrypt or mask the password into the keystore holding the site certificate for enabling SSL/https? I'm begging here. I'm on the verge of telling the customer that JBoss 7 cannot fulfill this requirement, which would necessitate porting back to an earlier version.
(*) Not really "my" approach. I pieced it together from official documentation and the forums.
I am also attempting to get password encryption working and use the security-domain inside of the datasource configuration method (which I have been using since 4.0.5) with the exception that I do not use the SecurityIdentity login module because of its hard-coded key, instead I wrote my own login module that generates the key on first use (at least you have to have access to the key file on the file system to decrypt the password as opposed to just the encrypted password). For encrypting the keystore password for https, I have always used: https://community.jboss.org/wiki/EncryptKeystorePasswordInTomcatConnector, however I haven't yet found how to really port this to the new JBoss AS 7 architecture. It would be great if this vault would also work for the keystore password and if you could supply your own implementation for the vault (i.e. the problem with the SecurityIdentity login module is that it uses a hard coded key).
@Gregory Charles: I need the exact same solution! Did you find something that worked? I've been testing the old _OBFUSCATED properties option but that doesn't seem to be implemented in JBoss 7. ([#JBAS-8353] PATCH: Support obfuscated System Properties - JBoss Issue Tracker) I can't compile the latest community version and can't switch to JBoss 6 enterprise to get the working version of Vault.
What did you come up with?