0 Replies Latest reply on Aug 23, 2017 7:34 AM by dszfw

    Jboss 4.2.3 migration to Jboss 7 EAP, datasources and security

    dszfw

      I want to migrate several Java applications from Jboss 4.2.3 to Jboss 7.0.0 EAP

       

      For first step I decided to migrate datasources.

      For example I have such datasource config in 4.2.3:

       

      {profile}/deploy/some-ds.xml

      <local-tx-datasource>
        
      <jndi-name>SomeDS</jndi-name>
        
      ...
        
      <security-domain>EncryptedSomeDBLocalRealm</security-domain>
       
      </local-tx-datasource>
      </datasources>

       

      But I have noticed that datasource credentials are encrypted and thus I also need to migrate security system.

      There are related configs in 4.2.3:

       

      {profile}/conf/login-config.xml

      <application-policy name = "EncryptedSomeDBLocalRealm">
        
      <authentication>
        
      <login-module code = "org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule" flag="required">
        
      <module-option name = "username">user123</module-option>
        
      <module-option name = "password">1ad9fNmTA/65Ufh583ZAn4</module-option>
        
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=SomeDS</module-option>
        
      <module-option name = "jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option>
        
      </login-module>
        
      </authentication>
      </application-policy>

       

      {profile}/conf/jboss-service.xml

      <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
        name
      ="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
       
      <constructor>
        
      <arg type="java.lang.String" value="ServerMasterPassword"/>
       
      </constructor>
       
      <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
       
      <attribute name="Salt">abcdefgh</attribute>
       
      <attribute name="IterationCount">19</attribute>
      </mbean>

       

      I added this to my standalone.xml for Jboss 7 EAP:

      /configuration/standalone.xml

      <subsystem xmlns="urn:jboss:domain:datasources:4.0">
        
      <datasources>
        
      <datasource jta="true" jndi-name="java:/SomeDS" pool-name="SomeDS" enabled="true" use-ccm="true">
        
      <connection-url>{my-oracle-ldap-connection-url}</connection-url>
        
      <driver-class>oracle.jdbc.OracleDriver</driver-class>
        
      <driver>ojdbc8.jar</driver>
        
      <security>
        
      <security-domain>jdbcDatabaseSecure</security-domain>
        
      </security>
        
      <validation>
        
      <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/>
        
      <background-validation>true</background-validation>
        
      <stale-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"/>
        
      <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"/>
        
      </validation>
        
      </datasource>
        
      <drivers>
        
      ????? should I put here my oracle driver?
        
      </drivers>
        
      </datasources>
      </subsystem>

      <subsystem xmlns="urn:jboss:domain:security:1.2">
        
      <security-domains>
        
      ...
        
      <security-domain name="jdbcDatabaseSecure">
        
      ?????
        
      </security-domain>
        
      </security-domains>
      </subsystem>

      <management>
        
      <security-realms>
        
      ...
        
      <security-realm name="UndertowRealm">
        
      <server-identities>
        
      <ssl>
        
      <keystore path="server_as_01.keystore" relative-to="jboss.server.config.dir" keystore-password="123456"/>
        
      </ssl>
        
      </server-identities>
        
      </security-realm>
        
      </security-realms>
      </management>

       

      Maybe less related 4.2.3 configs, but actual for SSL configuration:

       

      {profile}/deploy/jboss-web.deployer/server.xml

      <!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
      <Connector port="4570" address="${jboss.bind.address}"
        minSpareThreads
      ="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true"
        acceptCount
      ="100" maxThreads="100" scheme="https" secure="true" SSLEnabled="true"
        keystoreFile
      ="${jboss.server.home.dir}/conf/server_as_01.keystore"
        keystorePass
      ="123456"
        truststoreFile
      ="${jboss.server.home.dir}/conf/server_as_01.keystore"
        truststorePass
      ="123456"
        clientAuth
      ="false" sslProtocol="TLS" />

       

      Also I have these files:

      {profile}/conf/server.password

      {profile}/conf/client.truststore

      {profile}/conf/server_as_01.keystore

       

      And JAVA_OPTS="-Djavax.net.ssl.trustStore=$JBOSS_SERVER/conf/client.truststore -Djavax.net.ssl.trustStorePassword=changeit"

       

      I tried to do something similar with Jboss 7.0.0 EAP config, but as I've noticed from google, too many differences in these implementations. It seems that JAAS no more exist in 7 EAP.

       

      Can someone help me with correct config?