1 Reply Latest reply on Aug 23, 2012 9:20 AM by Kevin Scott

    Encrypting Datasource Passwords with PBEUtils

    Kevin Scott Newbie

      Hi everyone,

      I have been trying to follow the instructions in 17.2 of the security guide.  To that end I did the following:

       

      1) Created a server.password using org.jboss.security.plugins.FilePassword and made sure it is placed in the $PROFILE/conf directory

      2) Created an encrypted password using PBEUtils and passed in the location of the server.password file

      3) Added the following to login-config.xml

       

       

      
      <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      
      
      name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
      
      
      <constructor>
      
      
      <arg type="java.lang.String" value="ServerMasterPassword"></arg>
      
      
      </constructor>
      
      
      <!-- The opaque master password file used to decrypt the encrypted
      
      
      database password key -->
      
      
      <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
      
      
      <attribute name="Salt">abcdefgh</attribute>
      
      
      <attribute name="IterationCount">13</attribute>
      
         </mbean>
      
         <application-policy name="PBEEncryptedPasswordRealm">
         <authentication>
      
      
      <login-module code= "org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule"
      
      
      flag = "required">
      
      
      <module-option name="username">USERNAME</module-option>
      
      
      <module-option name="password">OUTPUT_OF_PBEUTILS</module-option>
      
      
      <module-option name="managedConnectionFactoryName">
      
      
      jboss.jca:service=NoTxCM,name=jdbc/DataSourceDS
      
      
      </module-option>
      
      
      <module-option name="jaasSecurityDomain">
      
      
      jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword
      
      
      </module-option>
      
      
      </login-module>
      
         </authentication>
      </application-policy>
      

       

      4.  Created a .ds file for my datasource like this:

       

      {code:xml}

      <no-tx-datasource>

              <jndi-name>jdbc/DataSourceDS</jndi-name>

              <connection-url>DB_CONNECTION_URL</connection-url>

              <driver-class>oracle.jdbc.OracleDriver</driver-class>

              <security-domain>PBEEncryptedPasswordRealm</security-domain>

              <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>

              <check-valid-connection-sql>SELECT * FROM DUAL</check-valid-connection-sql>

              <idle-timeout-minutes>30</idle-timeout-minutes>

              <prepared-statement-cache-size>0</prepared-statement-cache-size>

              <share-prepared-statements>false</share-prepared-statements>

              <set-tx-query-timeout>false</set-tx-query-timeout>

              <metadata>

                  <type-mapping>Oracle9i</type-mapping>

              </metadata>

          </no-tx-datasource>{code}

       

      With this configuration, when I start the server, there are no errors or problems, but as soon as I call a Web Service that relies on this data source I get an error back:

       

      java.lang.SecurityException: Unauthenticated caller:null

       

      When I dive through the server.log I find that the root error is:

      javax.security.auth.login.LoginException: Failed to decode password: jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword is not registered.

       

      Why would ServerMasterPassword not be registered? How can I debug this further?

       

      Thanks in advance for your help!