-
1. Re: credential-reference using salt instead of clear-text
robertlazarski Feb 3, 2019 7:53 PM (in response to robertlazarski)Since I posted this question, I found the syntax I might need however I am getting a "SQLServerException: Login failed" when I use the xml snippet in the Wildfly 15 standalone.xml <credential-reference store="my_store" alias="database-pw"/> instead of <password>password123</password> .
Here's my commands and resulting standalone.xml Datasource plus credentials-store, any ideas? I don't see an alias reference in the standalone.xml credential-store, not sure if that is required - being a first time user of this feature I would expect that.
<code>
./elytron-tool.sh mask -i 2500 -s eightcha -x password123
(result)
MASK-2d2azDhipVOcOYeeIUkpvP;eightcha;2500
/subsystem=elytron/credential-store=my_store:add(location="credentials/mystore.jceks", relative-to=jboss.server.data.dir, credential-reference={clear-text="MASK-2d2azDhipVOcOYeeIUkpvP;eightcha;2500"},create=true)
/subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="MASK-2d2azDhipVOcOYeeIUkpvP;eightcha;2500")
</code><code><datasource jta="true" jndi-name="java:/sqlDataSourcelocal" pool-name="sqlDataSourcelocal" enabled="true" use-java-context="true" use-ccm="true">
<connection-url>jdbc:sqlserver://sqlserver.myhost.local;databaseName=dev2;sendStringParametersAsUnicode=false</connection-url>
<driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
<driver>mssqljdbc700jre10.jar</driver>
<transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
<pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>100</max-pool-size>
<prefill>true</prefill>
<use-strict-min>false</use-strict-min>
<flush-strategy>IdleConnections</flush-strategy>
</pool>
<security>
<user-name>myusername</user-name>
<credential-reference store="my_store" alias="database-pw"/>
</security>
<validation>
<check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
<validate-on-match>false</validate-on-match>
<background-validation>false</background-validation>
<use-fast-fail>false</use-fast-fail>
</validation>
<statement>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</datasource>
<credential-stores>
<credential-store name="my_store" relative-to="jboss.server.data.dir" location="credentials/mystore.jceks" create="true">
<credential-reference clear-text="MASK-010Ca5fyPKAo00tB.w4axs;eightcha;2500"/>
</credential-store>
</credential-stores>
</code> -
2. Re: credential-reference using salt instead of clear-text
jewellgm Feb 4, 2019 3:18 PM (in response to robertlazarski)What version of JBoss/Wildfly are you attempting this with? There's a bug that was addressed in JBoss EAP 7.1 that allows this functionality.
[JBEAP-8544] credential-reference not able to use masked passwords - JBoss Issue Tracker
Which references
[JBEAP-9025] CS tool, Add possibility to produce masked password - JBoss Issue Tracker
I'm not certain whether the CLI would have allowed the masked password prior to these fixes and then just failed to utilize it properly at runtime, or whether the CLI wouldn't haven't accepted the masked password to begin with.
Edit: I missed from your second post that you are using WF15. If you weren't aware of the defects that I just pointed out, I'd suggest seeing whether they were pushed back out to Wildfly yet.
-
3. Re: credential-reference using salt instead of clear-text
robertlazarski Feb 5, 2019 11:15 AM (in response to jewellgm)Thanks for the reply. I am running Wildfly 15. I mentioned that in my
second post though I could have made that more clear.
Those issues are from 2017. I would expect those issues would be fixed
upstream in Wildfly by now, is that the case?
-
4. Re: credential-reference using salt instead of clear-text
simkam Feb 6, 2019 6:29 AM (in response to robertlazarski)Hi,
I think that in second command you should use just plain password. It won't be exposed in standalone.xml.
/subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="password123")
-
5. Re: credential-reference using salt instead of clear-text
robertlazarski Feb 9, 2019 1:34 PM (in response to simkam)Thank you Martin your command worked for me. Problem solved.
Best regards,
Robert