0 Replies Latest reply on Aug 23, 2017 7:34 AM by dszfw

    Jboss 4.2.3 migration to Jboss 7 EAP, datasources and security

    dszfw
    dszfw Aug 23, 2017 7:34 AM

      I want to migrate several Java applications from Jboss 4.2.3 to Jboss 7.0.0 EAP

       

      For first step I decided to migrate datasources.

      For example I have such datasource config in 4.2.3:

       

      {profile}/deploy/some-ds.xml

      <local-tx-datasource>
               <jndi-name>SomeDS</jndi-name>
               ...
               <security-domain>EncryptedSomeDBLocalRealm</security-domain>
              </local-tx-datasource>
      </datasources>

       

      But I have noticed that datasource credentials are encrypted and thus I also need to migrate security system.

      There are related configs in 4.2.3:

       

      {profile}/conf/login-config.xml

      <application-policy name = "EncryptedSomeDBLocalRealm">
               <authentication>
               <login-module code = "org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule" flag="required">
               <module-option name = "username">user123</module-option>
               <module-option name = "password">1ad9fNmTA/65Ufh583ZAn4</module-option>
               <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=SomeDS</module-option>
               <module-option name = "jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option>
               </login-module>
               </authentication>
      </application-policy>

       

      {profile}/conf/jboss-service.xml

      <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
        name      ="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
              <constructor>
               <arg type="java.lang.String" value="ServerMasterPassword"/>
              </constructor>
              <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
              <attribute name="Salt">abcdefgh</attribute>
              <attribute name="IterationCount">19</attribute>
      </mbean>

       

      I added this to my standalone.xml for Jboss 7 EAP:

      /configuration/standalone.xml

      <subsystem xmlns="urn:jboss:domain:datasources:4.0">
               <datasources>
               <datasource jta="true" jndi-name="java:/SomeDS" pool-name="SomeDS" enabled="true" use-ccm="true">
               <connection-url>{my-oracle-ldap-connection-url}</connection-url>
               <driver-class>oracle.jdbc.OracleDriver</driver-class>
               <driver>ojdbc8.jar</driver>
               <security>
               <security-domain>jdbcDatabaseSecure</security-domain>
               </security>
               <validation>
               <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/>
               <background-validation>true</background-validation>
               <stale-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"/>
               <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"/>
               </validation>
               </datasource>
               <drivers>
               ????? should I put here my oracle driver?
               </drivers>
               </datasources>
      </subsystem>

      <subsystem xmlns="urn:jboss:domain:security:1.2">
               <security-domains>
               ...
               <security-domain name="jdbcDatabaseSecure">
               ?????
               </security-domain>
               </security-domains>
      </subsystem>

      <management>
               <security-realms>
               ...
               <security-realm name="UndertowRealm">
               <server-identities>
               <ssl>
               <keystore path="server_as_01.keystore" relative-to="jboss.server.config.dir" keystore-password="123456"/>
               </ssl>
               </server-identities>
               </security-realm>
               </security-realms>
      </management>

       

      Maybe less related 4.2.3 configs, but actual for SSL configuration:

       

      {profile}/deploy/jboss-web.deployer/server.xml

      <!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
      <Connector port="4570" address="${jboss.bind.address}"
        minSpareThreads      ="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true"
        acceptCount      ="100" maxThreads="100" scheme="https" secure="true" SSLEnabled="true"
        keystoreFile      ="${jboss.server.home.dir}/conf/server_as_01.keystore"
        keystorePass      ="123456"
        truststoreFile      ="${jboss.server.home.dir}/conf/server_as_01.keystore"
        truststorePass      ="123456"
        clientAuth      ="false" sslProtocol="TLS" />

       

      Also I have these files:

      {profile}/conf/server.password

      {profile}/conf/client.truststore

      {profile}/conf/server_as_01.keystore

       

      And JAVA_OPTS="-Djavax.net.ssl.trustStore=$JBOSS_SERVER/conf/client.truststore -Djavax.net.ssl.trustStorePassword=changeit"

       

      I tried to do something similar with Jboss 7.0.0 EAP config, but as I've noticed from google, too many differences in these implementations. It seems that JAAS no more exist in 7 EAP.

       

      Can someone help me with correct config?