JBoss Encryption Sensitive information

By default, the information we configure in a domain.xml or host.xml file is plaintext, and some sensitive information is not secure enough to be encrypted using the vault mechanism provided by JBoss

The following content is from http://www.cnblogs.com/yjmyzz/p/how-to-encrypt-datasource-password-with-jboss-eap-6.html

1. Use Keytool to generate the KeyStore file, the Reference command is as follows:

Keytool-genseckey-alias ctas -storetype jceks-keyalg AES -keysize -storepass mypass Word -keystore C:\jboss-eap-6.3\bin\vault.keystore

Description: Keytool is a small tool that comes with the JDK, the red part is to change according to their own situation, blue (es for encryption algorithm, can be changed to RSA, such as 128 for encryption strength) can be changed.

-alias after the CTAs for the alias, you can easily change

-storepass after MyPassword is the password to access the KeyStore file

-keystore after the C:\jboss-eap-6.3\bin\ Vault.keystore is the KeyStore file save path, the entire keystore equivalent to a sensitive information of the file database, you can put some sensitive information, such as DB connection password, ftp password, mail password stored here

2. Running C:\jboss-eap-6.3\bin\vault.bat

Enter 0 to enter interactive mode

starting an interactive Sessionenter directory to store encrypted files:c:\jboss-eap-6.3\bin\ -- Enter the directory where the Keystore file is located enter Keystore Url:c:\jboss-eap-6.3\bin\vault.keystore -- Enter the full path of the Keystore file here enter Keystore password:  -- Enter Keystore password here, and enter the same as the password in step 1 just now Keystore password again:-- re-enter the password to verify  8 character salt:20151214 - Sprinkle the salt, you can modify it as needed (must be 8-bit characters) (a):- -- The number of iterations of the encryption (can be changed casually)Enter Keystore alias:cnblogs-- alias, you can easily change 

When these are finished, the following paragraph is output:

Initializing Vaultjul20, 2015 11:37:09PM Org.picketbox.plugins.vault.PicketBoxSecurityVault InitINFO:PBOX000361:Default Security Vault Implementation Initialized and Readyvault Configuration in AS7 config file:********************************************...</extensions><vault> <vault-option name= "Keystore_url" value= "C:\jboss-eap-6.3\bin\vault.keystore"/> < Vault-option name= "Keystore_password" value= "Mask-2w0ykkqmw8vbjuxlq79j/1"/> <vault-option name= "KEYSTORE_ ALIAS "value=" Cnblogs "/> <vault-option name=" SALT "value=" 20151214 "/> <vault-option name=" ITERATION_ COUNT "value="/> <vault-option name= "Enc_file_dir" value= "C:\jboss-eap-6.3\bin\"/></vault><management> ...********************************************Vault is initialized and ready forusehandshake with Vault completeplease Enter a Digit::0:store a secured attribute 1:check whether a secured attribute exists 2:exit

Note: The red part, which means that you add this paragraph to the corresponding position of standalone.xml or host.xml. (Note: It is recommended to copy this paragraph and add it to the Config file later)

3. Keep the interactive mode, do not exit, continue:

Enter 0 to prepare to store sensitive information

Task:store a secured attributeplease Enter secured attribute value (such as password):-- Enter the sensitive information to be stored here, such as the MySQL connection password please Enter secured attribute value (such as password) again:-- re-enter Values matchenter Vault block:ctasds_pwd< c3/>-- Container alias, random Enter Attribute name:passwordsecured Attribute value has been stored in vault. Please make note of the following: ********************************************Vault Block:ctasds_ Pwdattribute Name:passwordconfiguration should is done as follows:vault::ctasds_pwd::p assword::1 ********************************************

4. Modifying the JBoss configuration file

<vault>  <vault-option name= "Keystore_url" value= "C:\jboss-eap-6.3\bin\vault.keystore"/>  < Vault-option name= "Keystore_password" value= "Mask-2w0ykkqmw8vbjuxlq79j/1"/> <vault-option  name= " Keystore_alias "value=" Cnblogs "/>  <vault-option name=" SALT "value=" 20151214 "/>  <vault-option Name= "Iteration_count" value= "/>  <vault-option name=" Enc_file_dir "value=" C:\jboss-eap-6.3\bin\ "/ ></vault>

Domain mode, this section will be inserted into the Host.xml file before <management>, each slave machine host.xml to do the same processing, keystore files will be copied to each slave machine.

Then find the location of the Testds (in domain mode datasource is in the Master machine's domain.xml), replace the password with:

<datasource jta= "false" Jndi-name= "Java:/testds" pool-name= "Testds" enabled= "true" use-ccm= "false" >
...
<security>
<user-name>root</user-name>
<password>${vault::ctasds_pwd::p assword::1}</password>
</security>
...
</datasource>

Restart JBoss, fix it.

JBoss Encryption Sensitive information