Masking Passwords in JBossAS XML Configuration

Return to JBoss AS Security Dashboard <<<

 

 

 

 

DZone: http://server.dzone.com/articles/security-features-jboss-510-0

 

Background

Nobody likes the idea of seeing passwords in the open in an xml file.  In JBoss AS, we have various mechanisms by which passwords can be masked in the xml file. This document will act as a single stop reference to the various mechanisms.

 

Other Information

  1. Encrypting Data Source Passwords
  2. Encrypting Keystore Password in Tomcat Connector
  3. Encrypting Ldap Password in the LdapExtLoginModule
  4. JBoss AS/JBossMC: Adding secure behavior to POJOs

 

Masking password attributes in JBoss Microcontainer Bean definitions

JIRA : https://jira.jboss.org/jira/browse/JBAS-6710

 

Availability:  JBoss AS 5.1 onwards

 

Steps to perform

Generate a keystore first (follow the DZone article above).

 

  1. Use the Password Tool (mentioned below).
  2. Configure the @Password annotation on the MC beans that you are interested in masking the password. Example is provided below.

 

 

Password Tool

There is a command line tool that can be used for centralized password management.  The script is located in the bin directory. Remember that you can use the tool in the bin directory and the server configurations (default, all etc) can make use of the files that are generated by this tool.

 

=============================================

anil@localhost:~/jboss-6.0/jboss-head/build/output/jboss-6.0.0.Alpha1/bin$ ./password_tool.sh
**********************************
****  JBoss Password Tool********
**********************************
Error while trying to load data:Encrypted password file not located
Maybe it does not exist and need to be created.
0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 4:Enquire Domain 5:Exit

0
Enter Keystore password
testpass
Enter Salt (String should be at least 8 characters)
AnyStringThatIsLong
Enter Iterator Count (integer value)
111
Keystore Password encrypted into password/jboss_keystore_pass.dat

 

Loading domains [
]
0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 4:Enquire Domain 5:Exit
2
Enter security domain:
messaging
Enter passwd:
myPass
0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 4:Enquire Domain 5:Exit
5
org.jboss.security.integration.password.PasswordTool$ShutdownHook run called
Storing domains [
messaging,
]

=====================================================================

 

Configure the MC Beans

 

You will need to add an annotation to the bean definition.  Lets take the example of JBoss Messaging SecurityStore MC Bean defined in deploy/messaging/messaging-jboss-beans.xml

 

Before:

 <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
      <!-- default security configuration -->
      <property name="defaultSecurityConfig">
         <![CDATA[
            <security>
               <role name="guest" read="true" write="true" create="true"/>
            </security>
         ]]>
      </property>
      <property name="suckerPassword">CHANGE ME!!</property>
      <property name="securityDomain">messaging</property>
      <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
</bean>

 

After:

 

 <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
      <!-- default security configuration -->
      <property name="defaultSecurityConfig">
         <![CDATA[
            <security>
               <role name="guest" read="true" write="true" create="true"/>
            </security>
         ]]>
      </property>
      <property name="securityDomain">messaging</property>
      <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
      <!-- Password Annotation to inject the password from the common password
        utility -->
      <annotation>@org.jboss.security.integration.password.Password(securityDomain="messaging",
methodName="setSuckerPassword")</annotation>    
   </bean>

As you can see, you have removed the attribute called as "suckerPassword"   and introduced an MC annotation called as @Password whose configuration includes the security domain as well the MC bean property where the password needs to be injected.


Additional Information

The Keystore that is provided was created as follows.

$ keytool -genkey -alias jboss -keyalg RSA -keysize1024  -keystore server.keystore
Enter keystore password:  testpass
What is your first and last name?
  [Unknown]:  JBoss Security
What is the name of your organizational unit?
  [Unknown]:  JBoss Division
What is the name of your organization?
  [Unknown]:  Red Hat Inc
What is the name of your City or Locality?
  [Unknown]:  Raleigh
What is the name of your State or Province?
  [Unknown]:  NC
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=JBoss Security, OU=JBoss Division, O=Red Hat Inc, L=Raleigh, ST=NC, C=US correct?
  [no]:  yes

Enter key password for <jboss>
        (RETURN if same as keystore password):

 

 

Testcase in JBoss AS

Caveat: Remove the jboss-*.dat files from your JBAS/bin/password folder before running this test. Do this only if the test fails.

anil@localhost:~/jboss-6.0/jboss-head/testsuite$  ant tests-password-mask

tests-password-mask:
     [echo] creating password-mask config
     [echo] Overwriting config descriptors
     [copy] Copying 3 files to /home/anil/jboss-6.0/jboss-head/build/output/jboss-6.0.0.Alpha1/server/password-mask
[server:start] Starting server "password-mask", with command (start timeout is 120 seconds ):
[server:start] /opt/java/jdk1.5.0_18/bin/java -cp /home/anil/jboss-6.0/jboss-head/build/output/jboss-6.0.0.Alpha1/bin/run.jar:/opt/java/jdk1.5.0_18/lib/tools.jar -Xms128m -Xmx256m -XX:MaxPermSize=512m  -Djava.net.preferIPv4Stack=true -Djava.endorsed.dirs=/home/anil/jboss-6.0/jboss-head/build/output/jboss-6.0.0.Alpha1/lib/endorsed -Djboss.server.log.threshold=DEBUG org.jboss.Main -c password-mask -b localhost -g DefaultPartition
[server:start] Server started.
     [echo] Starting patternset=password.mask.includes config=PASSWORD_MASK
    [junit] Running org.jboss.test.passwordinjection.test.PasswordInjectionUnitTestCase
    [junit] Running org.jboss.test.passwordinjection.test.PasswordInjectionUnitTestCase
    [junit] Tests run: 1, Failures: 0, Errors: 0, Time elapsed: 1.578 sec
[server:stop] Shutting down server: password-mask
[server:stop] shutdownTimeout will be=45
[server:stop] Server stopped.

BUILD SUCCESSFUL
Total time: 51 seconds

The test case uses a security domain of "test-bean" that has been populated in the password encrypted file using the password tool and provided under the conf directory of the server/password-mask server configuration.