12 Replies Latest reply on May 25, 2007 12:26 PM by jitubats

    Howto encrypt connection factory passwords

    Scott Stark Master

      There was a question on howto encrypt the database passwords showing up in the *-ds.xml files recently. Answer: you can't. This file is a simple configuration that does not support encryption. If your database supports hashed passwords, then you can use that, but specifying an encrypted key that needs decryption via another key is not supported.


      You do not have to specify the username/password for a connection in the *-ds.xml file however. You can use JAAS to obtain this information however you want, including the handling of an encrypted password. An example login module has been added to the 3.2 branch which demonstrates a simple way to do this. To use it with the default hsqldb database config, first remove the username and password settings from the deploy/hsqldb-ds.xml file. Then, edit the conf/login-config.xml file and change the HsqlDbRealm to the following:

      <application-policy name = "HsqlDbRealm">

      <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule"
      flag = "required">
      <module-option name = "username">sa</module-option>
      <module-option name = "password">-207a6df87216de44</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:servce=LocalTxCM,name=DefaultDS</module-option>
      </login-module>

      </application-policy>

      The password here is the encrypted form supported by this login module and corresponds to the default empty string password. The password is encrypted/decrypted using a hard-coded cipher algo of Blowfish, and key derived from the phrase 'jaas is the way'. Get the code and adjust to your requirements.