Storing datasource password in Vault - Domain Mode
Hello,
I'm trying to store my xa-datasources' passwords encrypted in VAULT. My JBoss is 7.1.0.CR1b and I followed the directions as explained here: https://community.jboss.org/wiki/JBossAS7SecuringPasswords
The problem is that when I start JBoss in domain mode, I get the following exception:
18:04:28,424 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 51) JBAS014612: Operation ("enable") failed - address: ([
("subsystem" => "datasources"),
("xa-data-source" => "dbpd03")
]): java.lang.SecurityException: Vault is not initialized
at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:97)
at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:58) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:40) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:414) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:622) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
at org.jboss.as.controller.ParallelBootOperationContext.resolveExpressions(ParallelBootOperationContext.java:263) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.getResolvedStringIfSetOrGetDefault(DataSourceModelNodeUtil.java:359)
at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.xaFrom(DataSourceModelNodeUtil.java:228)
at org.jboss.as.connector.subsystems.datasources.DataSourceEnable$1.execute(DataSourceEnable.java:101)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:359) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:254) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:190) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:311) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_25]
at java.lang.Thread.run(Thread.java:662) [:1.6.0_25]
at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.0.0.GA.jar:2.0.0.GA]
$JBOSS_HOME/domain/configuration/host.xml
<?xml version='1.0' encoding='UTF-8'?> <host name="pdmaster" xmlns="urn:jboss:domain:1.1"> <vault> <vault-option name="KEYSTORE_URL" value="/usr/local/jboss/vault.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-XXXXXXXXXX"/> <vault-option name="KEYSTORE_ALIAS" value="vault"/> <vault-option name="SALT" value="12345678"/> <vault-option name="ITERATION_COUNT" value="50"/> <vault-option name="ENC_FILE_DIR" value="/usr/local/jboss/"/> </vault> .... <servers> <server name="pd-master-vserver01" group="pd-server-group" auto-start="true"> </server> <server name="pd-master-vserver02" group="pd-server-group" auto-start="true"> <socket-bindings port-offset="100"/> </server> <server name="pd-master-vserver03" group="pd-server-group" auto-start="true"> <socket-bindings port-offset="200"/> </server> </servers> </host>
$JBOSS_HOME/domain/configuration/domain.xml
<domain xmlns="urn:jboss:domain:1.1">
...
<subsystem xmlns="urn:jboss:domain:datasources:1.0">
<datasources>
<!-- DBPD03 -->
<xa-datasource jndi-name="java:jboss/datasources/dbpd03DS" pool-name="dbpd03" enabled="true" use-ccm="false">
<xa-datasource-property name="URL">jdbc:mysql://pdbd-ldr-01/dbpd03?autoReconnect=true</xa-datasource-property>
<driver>mysql</driver>
<xa-pool>
<min-pool-size>2</min-pool-size>
<max-pool-size>10</max-pool-size>
<prefill>true</prefill>
<is-same-rm-override>false</is-same-rm-override>
<interleaving>false</interleaving>
<pad-xid>false</pad-xid>
<wrap-xa-resource>false</wrap-xa-resource>
</xa-pool>
<security>
<user-name>pd_api</user-name>
<password>${VAULT::dbpd03DS::password::YWU2NTAxZmYtMGEyZi00ZjI2LWI5MmMtNDk5OGYxZjJlYzVkTElORV9CUkVBS3ZhdWx0;}</password>
</security>
<validation>
<validate-on-match>false</validate-on-match>
<background-validation>false</background-validation>
<background-validation-millis>0</background-validation-millis>
</validation>
<statement>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<share-prepared-statements>false</share-prepared-statements>
</statement>
</xa-datasource>
<drivers>
<driver name="mysql" module="com.mysql">
<driver-class>
com.mysql.jdbc.Driver
</driver-class>
<xa-datasource-class>
com.mysql.jdbc.jdbc2.optional.MysqlXADataSource
</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
...
</host>
It's important to say that in standalone mode, my keystore and datasources' encrypted passwords work fine. I noticed that in domain mode, even if I ommit the <vault> tag in host.xml, I got exactly the same error / exception.
Is there any error in my domain configuration files?
Thank you in advance!
