1 Reply Latest reply on Aug 23, 2012 9:20 AM by kevingscott

Encrypting Datasource Passwords with PBEUtils

kevingscott Aug 15, 2012 8:38 AM

Hi everyone,

I have been trying to follow the instructions in 17.2 of the security guide. To that end I did the following:

1) Created a server.password using org.jboss.security.plugins.FilePassword and made sure it is placed in the $PROFILE/conf directory

2) Created an encrypted password using PBEUtils and passed in the location of the server.password file

3) Added the following to login-config.xml


<mbean code="org.jboss.security.plugins.JaasSecurityDomain"


name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">


<constructor>


<arg type="java.lang.String" value="ServerMasterPassword"></arg>


</constructor>


<!-- The opaque master password file used to decrypt the encrypted


database password key -->


<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>


<attribute name="Salt">abcdefgh</attribute>


<attribute name="IterationCount">13</attribute>

   </mbean>

   <application-policy name="PBEEncryptedPasswordRealm">
   <authentication>


<login-module code= "org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule"


flag = "required">


<module-option name="username">USERNAME</module-option>


<module-option name="password">OUTPUT_OF_PBEUTILS</module-option>


<module-option name="managedConnectionFactoryName">


jboss.jca:service=NoTxCM,name=jdbc/DataSourceDS


</module-option>


<module-option name="jaasSecurityDomain">


jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword


</module-option>


</login-module>

   </authentication>
</application-policy>

4. Created a .ds file for my datasource like this:

{code:xml}
 <no-tx-datasource>
        <jndi-name>jdbc/DataSourceDS</jndi-name>
        <connection-url>DB_CONNECTION_URL</connection-url>
        <driver-class>oracle.jdbc.OracleDriver</driver-class>
        <security-domain>PBEEncryptedPasswordRealm</security-domain> 
        <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
        <check-valid-connection-sql>SELECT * FROM DUAL</check-valid-connection-sql>
        <idle-timeout-minutes>30</idle-timeout-minutes>
        <prepared-statement-cache-size>0</prepared-statement-cache-size>
        <share-prepared-statements>false</share-prepared-statements>
        <set-tx-query-timeout>false</set-tx-query-timeout>
        <metadata>
            <type-mapping>Oracle9i</type-mapping>
        </metadata>
    </no-tx-datasource>{code}

With this configuration, when I start the server, there are no errors or problems, but as soon as I call a Web Service that relies on this data source I get an error back:

java.lang.SecurityException: Unauthenticated caller:null

When I dive through the server.log I find that the root error is:

javax.security.auth.login.LoginException: Failed to decode password: jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword is not registered.

Why would ServerMasterPassword not be registered? How can I debug this further?

Thanks in advance for your help!

1. Re: Encrypting Datasource Passwords with PBEUtils

kevingscott Aug 23, 2012 9:20 AM (in response to kevingscott)

Hey just for anyone else searching this problem. My co-worker put in a support request and it turns out that the mbean should have been in the datasource file not the login-config.xml
Actions