-
1. Re: credential-reference using salt instead of clear-text
Since I posted this question, I found the syntax I might need however I am getting a "SQLServerException: Login failed" when I use the xml snippet in the Wildfly 15 standalone.xml <credential-reference store="my_store" alias="database-pw"/> instead of <password>password123</password> .
Here's my commands and resulting standalone.xml Datasource plus credentials-store, any ideas? I don't see an alias reference in the standalone.xml credential-store, not sure if that is required - being a first time user of this feature I would expect that.
<code>
./elytron-tool.sh mask -i 2500 -s eightcha -x password123
(result)
MASK-2d2azDhipVOcOYeeIUkpvP;eightcha;2500
/subsystem=elytron/credential-store=my_store:add(location="credentials/mystore.jceks", relative-to=jboss.server.data.dir, credential-reference={clear-text="MASK-2d2azDhipVOcOYeeIUkpvP;eightcha;2500"},create=true)
/subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="MASK-2d2azDhipVOcOYeeIUkpvP;eightcha;2500")
</code><code><datasource jta="true" jndi-name="java:/sqlDataSourcelocal" pool-name="sqlDataSourcelocal" enabled="true" use-java-context="true" use-ccm="true">
<connection-url>jdbc:sqlserver://sqlserver.myhost.local;databaseName=dev2;sendStringParametersAsUnicode=false</connection-url>
<driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
<driver>mssqljdbc700jre10.jar</driver>
<transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
<pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>100</max-pool-size>
<prefill>true</prefill>
<use-strict-min>false</use-strict-min>
<flush-strategy>IdleConnections</flush-strategy>
</pool>
<security>
<user-name>myusername</user-name>
<credential-reference store="my_store" alias="database-pw"/>
</security>
<validation>
<check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
<validate-on-match>false</validate-on-match>
<background-validation>false</background-validation>
<use-fast-fail>false</use-fast-fail>
</validation>
<statement>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</datasource>
<credential-stores>
<credential-store name="my_store" relative-to="jboss.server.data.dir" location="credentials/mystore.jceks" create="true">
<credential-reference clear-text="MASK-010Ca5fyPKAo00tB.w4axs;eightcha;2500"/>
</credential-store>
</credential-stores>
</code> -
2. Re: credential-reference using salt instead of clear-text
What version of JBoss/Wildfly are you attempting this with? There's a bug that was addressed in JBoss EAP 7.1 that allows this functionality.
[JBEAP-8544] credential-reference not able to use masked passwords - JBoss Issue Tracker
Which references
[JBEAP-9025] CS tool, Add possibility to produce masked password - JBoss Issue Tracker
I'm not certain whether the CLI would have allowed the masked password prior to these fixes and then just failed to utilize it properly at runtime, or whether the CLI wouldn't haven't accepted the masked password to begin with.
Edit: I missed from your second post that you are using WF15. If you weren't aware of the defects that I just pointed out, I'd suggest seeing whether they were pushed back out to Wildfly yet.
-
3. Re: credential-reference using salt instead of clear-text
Thanks for the reply. I am running Wildfly 15. I mentioned that in my
second post though I could have made that more clear.
Those issues are from 2017. I would expect those issues would be fixed
upstream in Wildfly by now, is that the case?
-
4. Re: credential-reference using salt instead of clear-text
Hi,
I think that in second command you should use just plain password. It won't be exposed in standalone.xml.
/subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="password123")
-
5. Re: credential-reference using salt instead of clear-text
Thank you Martin your command worked for me. Problem solved.
Best regards,
Robert