1 Reply Latest reply on May 9, 2018 6:21 AM by Darran Lofthouse

    Secure password with Hashicorp Vault

    Fredrik Jönsson Newbie

      Hi

      We are thinking about start using Hashicorp Vault for storing passwords to our datasources,

      Vault by HashiCorp

       

      The problem is that we can't find any documentantion on how to include this in wildfly.

      Add it as part of the application code with modules and use it when needed, yes. But we are thinking about read all values at startup and keep them in memory.

      The reason to that is to minimize the dependency to Vault uptime and to get a failure directly if a password is not there (for any reason), instead of get an application error maybe a few hours later we get it immediately.

       

      1. Anyone has any thought about that strategy?

      2. What is the best way to implement Vault into Wildfly?

       

      This is how we think it will work

      Store a secret in Vault

      Create a temporarily token to access it, valid for e.g. 5min

      At startup we pass that token to wildfly

      In standalone-ha.xml we point a URI to the vault server that uses the token to get the password. E.g. to postgres or ActiveMQ

       

       

      <drivers>

        <driver name="postgresql" module="org.postgresql">

          <driver-class>org.postgresql.Driver</driver-class>

        </driver>

      </drivers>

       

      <datasources>

        <datasource jndi-name="java:jboss/datasources/StenusysDemoDS" pool-name="StenusysDemoDS" enabled="true" use-java-context="true">

          <connection-url>jdbc:postgresql://localhost:5432/StenusysDemo</connection-url>

          <driver>postgresql</driver>

          <security>

            <user-name>my-postgres-user</user-name>

            <password>vault://server.com:8200/........</password>

          </security>

        </datasource>

      </datasources>

       

       

      /Regards Fredrik