Credential store strings can be currently used only in specialized "credential-reference" attributes. keyStorePassword is not such case.
This is known issue as Elytron integration in this area is not complete.See https://issues.jboss.org/browse/EAP7-683
http-acceptor part can be solved by configuring Undertow using Elytron ssl context which is aware of credential store.
Can you elaborate your use case. Are you trying to configure 2-way SSL between client and server? Where is your client located? Is it in same WF instance/another WF instance/standalone app? What are you expecting vault role is here? Most probably vault expression is resolved at server boot and client gets object with plain password over network, anyway.
We have a similar issue regarding a Websphere MQ resource adapter. Our current configuration looks like below:
<connection-definition class-name="com.ibm.mq.connector.outbound.ManagedConnectionFactoryImpl" jndi-name="java:/jboss/jms/wmq/connectionFactory" use-java-context="true" pool-name="MQConnectionFactoryPool">
I think it's not possible to add a credential reference here instead of the VAULT string. Since I cannot view the EAP7-683 issue: will this use case be supported in a future version?