5 Replies Latest reply on Feb 9, 2019 1:34 PM by robert lazarski

    credential-reference using salt instead of clear-text

    robert lazarski Newbie

      In this example my db password is password123. I want to use a credential-store to avoid having this password in the standalone.xml Datasource section, instead of <password>password123</password>.

       

      I only see a clear text option when creating the credential-store. What I want to do, is have my password123 credentials not exposed in the standalone.xml. I need some type of salt option or equivalent.

       

      The credential store below still exposes this DB password, even though its referenced as an alias in the standalone.xml.

       

                      <credential-store name="my_store" relative-to="jboss.server.data.dir" location="credentials/atstore.jc eks" create="true">

                          <credential-reference clear-text="password123"/>

                      </credential-store>

       

      This is the jboss-cli.sh command I am using below. Is there an option besides clear-text? I read all the docs I could find and don't see another option besides clear text.

       

      /subsystem=elytron/credential-store=my_store:add(location="credentials/mystore.jceks", relative-to=jboss.server.data.dir,  credential-reference={clear-text=password123},create=true)

       

      To be clear, I do not want to change the DB password. I just don't want to expose it in the standalone.xml. Is that possible?

        • 1. Re: credential-reference using salt instead of clear-text
          robert lazarski Newbie

          Since I posted this question, I found the syntax I might need however I am getting a "SQLServerException: Login failed" when I use the xml snippet in the Wildfly 15 standalone.xml <credential-reference store="my_store" alias="database-pw"/> instead of <password>password123</password> .

           

          Here's my commands and resulting standalone.xml Datasource plus credentials-store, any ideas? I don't see an alias reference in the standalone.xml credential-store, not sure if that is required - being a first time user of this feature I would expect that.

           

          <code>

          ./elytron-tool.sh mask -i 2500 -s eightcha -x password123

          (result)

          MASK-2d2azDhipVOcOYeeIUkpvP;eightcha;2500

           

          /subsystem=elytron/credential-store=my_store:add(location="credentials/mystore.jceks", relative-to=jboss.server.data.dir,  credential-reference={clear-text="MASK-2d2azDhipVOcOYeeIUkpvP;eightcha;2500"},create=true)

           

          /subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="MASK-2d2azDhipVOcOYeeIUkpvP;eightcha;2500")

          </code>
          <code>

                          <datasource jta="true" jndi-name="java:/sqlDataSourcelocal" pool-name="sqlDataSourcelocal" enabled="true" use-java-context="true" use-ccm="true">

                              <connection-url>jdbc:sqlserver://sqlserver.myhost.local;databaseName=dev2;sendStringParametersAsUnicode=false</connection-url>

                              <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>

                              <driver>mssqljdbc700jre10.jar</driver>

                              <transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>

                              <pool>

                                  <min-pool-size>10</min-pool-size>

                                  <max-pool-size>100</max-pool-size>

                                  <prefill>true</prefill>

                                  <use-strict-min>false</use-strict-min>

                                  <flush-strategy>IdleConnections</flush-strategy>

                              </pool>

                              <security>

                                  <user-name>myusername</user-name>

                                  <credential-reference store="my_store" alias="database-pw"/>

                              </security>

                              <validation>

                                  <check-valid-connection-sql>SELECT 1</check-valid-connection-sql>

                                  <validate-on-match>false</validate-on-match>

                                  <background-validation>false</background-validation>

                                  <use-fast-fail>false</use-fast-fail>

                                  </validation>

                              <statement>

                                  <prepared-statement-cache-size>0</prepared-statement-cache-size>

                                  <share-prepared-statements>true</share-prepared-statements>

                              </statement>

                          </datasource>

           

                        <credential-stores>

                          <credential-store name="my_store" relative-to="jboss.server.data.dir" location="credentials/mystore.jceks" create="true">

                              <credential-reference clear-text="MASK-010Ca5fyPKAo00tB.w4axs;eightcha;2500"/>

                          </credential-store>

                      </credential-stores>

          </code>
          • 2. Re: credential-reference using salt instead of clear-text
            Greg Jewell Expert

            What version of JBoss/Wildfly are you attempting this with?  There's a bug that was addressed in JBoss EAP 7.1 that allows this functionality.

             

            [JBEAP-8544] credential-reference not able to use masked passwords - JBoss Issue Tracker

            Which references

             

            [JBEAP-9025] CS tool, Add possibility to produce masked password - JBoss Issue Tracker

             

            I'm not certain whether the CLI would have allowed the masked password prior to these fixes and then just failed to utilize it properly at runtime, or whether the CLI wouldn't haven't accepted the masked password to begin with.

             

            Edit: I missed from your second post that you are using WF15.  If you weren't aware of the defects that I just pointed out, I'd suggest seeing whether they were pushed back out to Wildfly yet.

            • 3. Re: credential-reference using salt instead of clear-text
              robert lazarski Newbie

              Thanks for the reply. I am running Wildfly 15. I mentioned that in my

              second post though I could have made that more clear.

               

              Those issues are from 2017. I would expect those issues would be fixed

              upstream in Wildfly by now, is that the case?

              • 4. Re: credential-reference using salt instead of clear-text
                simkam Novice

                Hi,

                 

                I think that in second command you should use just plain password. It won't be exposed in standalone.xml.

                 

                /subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="password123")

                • 5. Re: credential-reference using salt instead of clear-text
                  robert lazarski Newbie

                  Thank you Martin your command worked for me. Problem solved.

                   

                  Best regards,

                  Robert