5 Replies Latest reply on May 21, 2016 3:46 PM by cqmcris

    an issue about ssl configuration in wildfly 9 with a vault expression

    itoti

      hi,i have some issue like this:

      i config ssl in wildfly 9 in standalone.xml

       

          <security-realms>

                 <security-realm name="SslRealm">

                      <server-identities>

                              <ssl>

                               <keystore path="my.keystore" relative-to="jboss.server.config.dir" keystore-password="Acrosspm@2013"/>

                              </ssl>

                       </server-identities>

       

      i want to use vault.sh to encrypt this password ,but vault tool in wildfly 9 only support jcks keystore. if i use jks keystore ,it will show wrong like

      =========================================================================

       

       

        JBoss Vault

       

       

        JBOSS_HOME: /opt/wildfly_9/wildfly-9.0.1.Final

       

       

        JAVA: /opt/netwatcher/pm4h2/app/opt/jdk1.8.0_51/bin/java

       

       

      =========================================================================

      **********************************

      ****  JBoss Vault  ***************

      **********************************

      Please enter a Digit::   0: Start Interactive Session   1: Remove Interactive Session  2: Exit

      0

      Starting an interactive session

      Enter directory to store encrypted files: /opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/

      Enter Keystore URL: /opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/my.keystore

      Enter Keystore password:

      Enter Keystore password again:

      Values match

      Enter 8 character salt: 12345678

      Enter iteration count as a number (e.g.: 44): 50

      Enter Keystore Alias: pmserver

      WFLYSEC0056: Initializing Vault

      WFLYSEC0059: Exception encountered:WFLYSEC0045: Exception encountered:

      Please enter a Digit::   0: Start Interactive Session   1: Remove Interactive Session  2: Exit

       

       

      so,i try to use jcks keystore .it works! vault tool support it. and i get my configruation .

        <vault>

                <vault-option name="KEYSTORE_URL" value="/opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/wildfly.store"/>

                <vault-option name="KEYSTORE_PASSWORD" value="MASK-0Mvr5Mh9WycddzuV1sSsHL"/>

                <vault-option name="KEYSTORE_ALIAS" value="wildflyVault"/>

                <vault-option name="SALT" value="12345678"/>

                <vault-option name="ITERATION_COUNT" value="50"/>

                <vault-option name="ENC_FILE_DIR" value="/opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/"/>

             </vault>

       

       

      but the jcks keystore is can not used in wildfly 9‘s standalone.xml  for ssl  configuration .when i start wildfly ,it not works!. i think the ssl configuration in wildfly is only support jck keystore.

       

      so i don’t known how to config  ssl configuration with a vault expressions.please give me some advice.

        • 1. Re: an issue about ssl configuration in wildfly 9 with a vault expression
          mchoma

          Hi,

           

          you can still use different JKS keystore for SSL, right?

           

          Martin

          • 2. Re: an issue about ssl configuration in wildfly 9 with a vault expression
            itoti

            yes,jks keystore is working.But i don't known how config the encrypt password instead of the "Acrosspm@2013" with jks keystore in standalone.xml.

            My issue is  that vautl tool  not support encrypt the password about jks keystore.Could you help me ?

              <management>

                    <security-realms>

                        <security-realm name="ManagementRealm">

                            <server-identities>

                                <ssl protocol="TLSv1.1">

                                    <keystore path="/opt/netwatcher/pm4h2/app/opt/certificate/pmserver.keystore" keystore-password="Acrosspm@2013" alias="pmserver" key-password="Acrosspm@2013"/>

                                </ssl>

                            </server-identities>

            • 3. Re: an issue about ssl configuration in wildfly 9 with a vault expression
              mchoma

              You should be able to replace plain password with vault expression like ${VAULT: ...}

              See for example JBoss AS7 Securing Passwords for details.

               

              Martin

              • 4. Re: an issue about ssl configuration in wildfly 9 with a vault expression
                itoti

                yes,i have a try to use vault.sh to get AS7 Securing Passwords. it is wrong in the encrypt flow about wildfly-9.0.1.Final

                =========================================================================

                 

                 

                  JBoss Vault

                 

                 

                  JBOSS_HOME: /opt/wildfly_9/wildfly-9.0.1.Final

                 

                 

                  JAVA: /opt/netwatcher/pm4h2/app/opt/jdk1.8.0_51/bin/java

                 

                 

                =========================================================================

                **********************************

                ****  JBoss Vault  ***************

                **********************************

                Please enter a Digit::   0: Start Interactive Session   1: Remove Interactive Session  2: Exit

                0

                Starting an interactive session

                Enter directory to store encrypted files: /opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/

                Enter Keystore URL: /opt/wildfly_9/wildfly-9.0.1.Final/standalone/configuration/my.keystore

                Enter Keystore password:

                Enter Keystore password again:

                Values match

                Enter 8 character salt: 12345678

                Enter iteration count as a number (e.g.: 44): 50

                Enter Keystore Alias: pmserver

                WFLYSEC0056: Initializing Vault

                WFLYSEC0059: Exception encountered:WFLYSEC0045: Exception encountered:

                Please enter a Digit::   0: Start Interactive Session   1: Remove Interactive Session  2: Exit

                 

                 

                i change the keystore type to jcks.it's right. but could not used in the "<keystore path" lable of standalone.xml.

                • 5. Re: an issue about ssl configuration in wildfly 9 with a vault expression
                  mchoma

                  Hi,

                   

                  what i am trying to suggest is:

                   

                  1. use JCEKS keystore for vault

                  2. use JKS keystore for SSL configuration

                   

                  It means you will need two keystores. You cant make it work just with one keystore.

                   

                  Martin

                  1 of 1 people found this helpful
                  • 6. Re: an issue about ssl configuration in wildfly 9 with a vault expression
                    cqmcris

                    Did you solve this issue?

                    I need to mask keystore, key and datasource passwords, can you please send me the steps to follow?