LdapExtLoginModuleWithJaasSecurityDomain

Using the LdapExtLoginModule with a JaasSecurityDomain

 

The following is some guidance on how the LdapExtLoginModule can be used with an encrypted password to be decrypted by a JaasSecurityDomain.

 

Firstly this guide assumes that the LdapExtLoginModule is already running correctly with a non-encrypted password, if this is not the case it should be configured first and the password encrypted second.

 

The first step is to define the JaasSecurityDomain MBean that is going to be used to decrypt the encrypted version of the password, this can be added to the {jboss.home}/server//conf/jboss-service.xml descriptor or can be added to a -service.xml descriptor in the deploy folder.

 

   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=JaasSecurityDomain,domain=jmx-console">
      <constructor>
         <arg type="java.lang.String" value="jmx-console"></arg>
      </constructor>
      <attribute name="KeyStorePass">some_password</attribute>
      <attribute name="Salt">abcdefgh</attribute>
      <attribute name="IterationCount">66</attribute>
   </mbean>

 

This is a simple configuration where the required password, salt and iteration count used for the encryption / decryption are contained within the MBean definition.  It is possible to use any of the and methods to obtain the password as described in the JaasSecurityDomain article.

 

It should be noted that the default cipher algorithm used by the JaasSecurityDomain implementation is "PBEwithMD5andDES", this can be modified using the 'CipherAlgorithm' attribute.

 

Do ensure that you change the values 'KeyStorePass', 'Salt', and 'IterationCount' for your own deployment.

 

After this MBean has been defined start JBoss and navigate to the jmx-console and find the MBean defined here.

 

After finding the MBean you should find an operation called 'encode64(String password)', invoke this method passing in the plain text version of the password being used by the LdapExtLoginModule.  The return value should be the encrypted version of the password encoded as Base64.

 

Within the login module configuration the following module-options should be set: -

 

  <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=jmx-console</module-option>
  <module-option name="bindCredential">2gx7gcAxcDuaHaJMgO5AVo</module-option> 

 

The first option is a new option to specify that the JaasSecurityDomain used previously should be used to decrypt the password.

 

Next the bindCredential is replaced with the encrypted form as Base64.