4 Replies Latest reply on Dec 20, 2011 11:06 AM by dimonv

AS7: Sensitive Attributes Masking

anil.saldhana Aug 22, 2011 5:26 PM

We can extend masking of passwords to all attributes that the user determines to be sensitive and not be displayed in clear text in the configuration files.

There are two entities:

a) Sensitive Attribute Holder (SAH).

b) Requesting Party (RP).

The "SAH" will securely hold all the sensitive attributes in one place. Ideally using AES256+ type encryption.

The Requesting Party is an entity in the AS that wants to get access to the secure attribute.

The challenge is to ensure the authenticity of the RP.

How do we know RP is the real owner of the attribute?

Some thoughts:

We can provide a shared key to the RP via an offline tool. The RP will configure the shared key (how do we secure this shared key?).
When the RP asks for the attribute, we can check the package of the RP and ensure that it matches the package that was used in generation of the shared key provided.

Requirements:

Potential extension by security ISVs.
Simple intuitive strategy.

JIRA:

https://issues.jboss.org/browse/AS7-1622

1. Re: AS7: Sensitive Attributes Masking

anil.saldhana Aug 31, 2011 3:05 PM (in response to anil.saldhana)

The security schema in AS7.1 has a new vault element that can be used to configure the attribute vault. An offline tool is needed to interact with the vault to store the attributes. The AS is supposed to be a read only customer of the vault.

The proposal is to create bin/vault.sh (vault.bat) to interact with the default implementation of the vault.
Actions
2. Re: AS7: Sensitive Attributes Masking

anil.saldhana Sep 20, 2011 5:25 PM (in response to anil.saldhana)

**********************************
**** JBoss Vault ********
**********************************
Please enter a Digit::   0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/
Enter Keystore URL:/home/anil/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Password match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):50

Please make note of the following:
********************************************
Masked Password:MASK-5WNXs8oEbrs
salt:12345678
Iteration Count:50
********************************************

Enter Keystore Alias:vault
Sep 20, 2011 4:23:40 PM org.jboss.security.vault.SecurityVaultFactory get
INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Intializing Vault
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit::   0: Store a password 1: Check whether password exists 2: Exit
0
Task: Store a password
Please enter attribute value:
Please enter attribute value again:
Password match
Enter Vault Block:messaging
Enter Attribute Name:pass
Attribute Value for (messaging, pass) saved
Please enter a Digit::   0: Store a password 1: Check whether password exists 2: Exit
1
Task: Verify whether a password exists
Enter Vault Block:messaging
Enter Attribute Name:pass
A value exists for (messaging, pass)
Please enter a Digit::   0: Store a password 1: Check whether password exists 2: Exit
2
Actions

3. Re: AS7: Sensitive Attributes Masking

dimonv Dec 19, 2011 4:28 AM (in response to anil.saldhana)

Hi all,

I'm currently trying to apply vault for DataSource' password in JBoss AS 7.1.0.Beta1 as described in Wiki http://community.jboss.org/wiki/JBossAS7SecuringPasswords but doesn't work. I get following exception:

10:23:41,265 ERROR [org.jboss.as.controller] (ServerService Thread Pool -- 47) JBAS014612: Operation ("enable") failed - address: ([

("subsystem" => "datasources"),

("data-source" => "java:jboss/jdbc/MSSQLDataSource-PROD")

]): java.lang.SecurityException: org.jboss.security.vault.SecurityVaultException: PB00027: Vault Mismatch:Shared Key does not match for vault block:MSSQLDataSource and attributeName:password

at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:98) [jboss-as-server-7.1.0.Beta1.jar:]

at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45) [jboss-as-server-7.1.0.Beta1.jar:]

at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:58) [jboss-as-controller-7.1.0.Beta1.jar:]

...

My configuration:

I put vault configuration in standalone in the server scope:

<vault>
	<vault-option name="KEYSTORE_URL" value="C:/eplatform/jboss/AS-7.0/standalone/configuration/vault.keystore"/>
	<vault-option name="KEYSTORE_PASSWORD" value="MASK-8mj0bd6g0iq"/>
	<vault-option name="KEYSTORE_ALIAS" value="vault"/>
	<vault-option name="SALT" value="12345678"/>
	<vault-option name="ITERATION_COUNT" value="42"/>
	<vault-option name="ENC_FILE_DIR" value="C:/eplatform/jboss/AS-7.0/standalone/data/"/>
</vault>

and the DataSource' password value:

<password>
	${VAULT::MSSQLDataSource::password::MmUxNzU1MjgtYWM1Mi00MzZmLThlZTctZGIxNzE4ZGQ3ZWZlTElORV9CUkVBS3ZhdWx0}
</password>

Thanks and regards

4. Re: AS7: Sensitive Attributes Masking

dimonv Dec 20, 2011 11:06 AM (in response to dimonv)

Hi,

I found out the origin: I had to complete the expression for password with semicolon (;)
But now I have another issue. At the moment I put <vault> config into server scope.
...
</extensions>

<vault>
...
</vault>
<management>
...
The server starts up, vault is initialized and the DS password is decrypted; everything works. But JBoss configuration is dumped back to standalone.xml and <vault> disappears:
<vault/>

Where shall I put <vault> configuration?

Thanks
Actions

Go to original post