Version 3

    Encrypting Keystore and Truststore Passwords

     

    You can encrypt the cleartext passwords specified in the jboss-wsse-*.xml descriptor. You can either use the EXT or the CLASS commands.

     

    EXT Command

     

    This can be used to execute an external command at the Operating System level. Internally JBoss will execute the command specified in this syntax and the first line of the output will be used as the password for the store.

     

         <?xml version="1.0" encoding="UTF-8"?>
         <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" 
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
           xsi:schemaLocation="http://www.jboss.com/ws-security/config
             http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
      1.   <key-store-file>WEB-INF/wsse.keystore</key-store-file>
      2.   <key-store-password>
      3.         {EXT}java -cp %CLASSPATH org.jboss.test.ws.jaxrpc.samples.wssecurity.PasswordUtil keystore.password
      4.   </key-store-password>
      5.   <config>
      6.     <sign type="x509v3" alias="wsse"></sign>
      7.    <encrypt type="x509v3" alias="wsse"></encrypt>
      8.     <requires>
      9.       <signature></signature>
     10.       <encryption></encryption>
     11.        </requires>
     12.      </config>
         </jboss-ws-security>
    

     

    In the example above PasswordUtil is an external class that has a main method that retrieve's the encypted password from the file keystore.password, decodes it and prints it to the standard output. This class can be more complex as required.

     

    CLASS Command

     

    This can be used to execute a JAVA class and the class's method will return the password after decryption. The example below shows the usage with the FilePassword class, that does the decryption from the file "keystore.password". This is similar to the method above, only difference being it is executed within the current process.

     

         <?xml version="1.0" encoding="UTF-8"?>
         <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" 
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
           xsi:schemaLocation="http://www.jboss.com/ws-security/config
             http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
      1.   <key-store-file>WEB-INF/wsse.keystore</key-store-file>
      2.   <key-store-password>
      3.         {CLASS}org.jboss.security.plugins.FilePassword:keystore.password
      4.   </key-store-password>
      5.   <config>
      6.     <sign type="x509v3" alias="wsse"></sign>
      7.    <encrypt type="x509v3" alias="wsse"></encrypt>
      8.     <requires>
      9.       <signature></signature>
     10.       <encryption></encryption>
     11.        </requires>
     12.      </config>
         </jboss-ws-security>