https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.1/html/Security_Guide/Configure_the_Enterprise_Application_Platform_to_Use_the_Password_Vault1.html

Create vault

# create java keystore (for vault encription)
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass password -validity 730 -keystore vault.keystore
# create vault
vault.sh -e /path/to/vault -k /path/to/vault.keystore -p password -i 64 -s salt8chr -b init -a init -c	
# add password to vault
vault.sh -e /path/to/vault -k /path/to/vault.keystore -p secret -i 64 -s salt8chr -b DATABASE -a DBUSER_PASSWORD -x password
# check if password in the vault
vault.sh -e /path/to/vault -k /path/to/vault.keystore -p secret -i 64 -s salt8chr -b DATABASE -a DBUSER_PASSWORD -c

Enable vault

host.xml
<host name="jboss1.example.com" xmlns="urn:jboss:domain:1.5">
..
 <vault>
    <vault-option name="KEYSTORE_URL" value="/path/to/vault.keystore"/>
    <vault-option name="KEYSTORE_PASSWORD" value="MASK-113kk./wNc/mH4F409CbNp"/>
    <vault-option name="KEYSTORE_ALIAS" value="vault"/>
    <vault-option name="SALT" value="salt8chr"/>
    <vault-option name="ITERATION_COUNT" value="64"/>
    <vault-option name="ENC_FILE_DIR" value="/path/to/"/>
</vault>

 

Use vault

${VAULT::DATABASE::DBUSER_PASSWORD::1} instead of "password" in jboss configuration

 

 

  • No labels

Site may be often unavailable due to Russian invasion, but you can Help Ukraine