Masking passwords for WildFly using non-interactive VaultTool

Version 1

    VaultTool used in WildFly Application Server is used for creating/using storage for secured attributes (e.g. passwords) which can be later on used in WildFly configuration files in masked form.

    Thus users can use references to their secured attributes instead of putting them in clear text form to configuration files.

     

    VaultTool has interactive user interface to create the secured vault and store/remove attributes from it. More at https://community.jboss.org/wiki/JBossAS7SecuringPasswords and https://community.jboss.org/wiki/AS7UtilisingMaskedPasswordsViaTheVault .

     

    I would like to present VaultTool non-interactive interface (pure command line utility).

     

    VaultTool could be found in WildFly bin directory as script vault.sh or vault.bat. Once used with any parameter, it starts non-interactive mode.

    One can try:

    vault.sh --help

    The latest changes in VaultTool implied that new key store type has to be used (JCEKS), so here you can see example of how to create your key store:

    keytool -genseckey -alias Vault -storetype jceks -keyalg AES -keysize 128 -storepass secretsecret -keypass secretsecret -keystore key.store

    keytool tool to work with key stores from JDK.

     

    When key store with our secret key is created we can follow with storing password for our database into the security vault.

    vault.sh --keystore key.store --keystore-password secretsecret --alias Vault --vault-block vb --attribute jca-pass --sec-attr mydbsecret --enc-dir ./vault --iteration 95 --salt ABCD1234

     

    Here is the output of our command:

    =========================================================================
    
      JBoss Vault
    
      JBOSS_HOME: /home/pskopek/dev/wildfly/as/build/target/wildfly-9.0.0.Alpha1-SNAPSHOT
    
      JAVA: /opt/sun/jdk1.7.0_60/bin/java
    
    =========================================================================
    
    Aug 28, 2014 2:05:32 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
    INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
    WFLYSEC0047: Secured attribute value has been stored in Vault.
    Please make note of the following:
    ********************************************
    Vault Block:vb
    Attribute Name:jca-pass
    Configuration should be done as follows:
    VAULT::vb::jca-pass::1
    ********************************************
    WFLYSEC0048: Vault Configuration in WildFly configuration file:
    ********************************************
    ...
    </extensions>
    <vault>
      <vault-option name="KEYSTORE_URL" value="key.store"/>
      <vault-option name="KEYSTORE_PASSWORD" value="MASK-1bHB.dZp5bUlvW46BM2Nfu"/>
      <vault-option name="KEYSTORE_ALIAS" value="Vault"/>
      <vault-option name="SALT" value="ABCD1234"/>
      <vault-option name="ITERATION_COUNT" value="95"/>
      <vault-option name="ENC_FILE_DIR" value="./vault/"/>
    </vault><management> ...
    ********************************************
    
    
    
    
    
    
    

     

    See line 13 which says that new secured attribute has been stored in our vault. Line 19 shows how the secured attribute can be referenced in WildFly configuration.

    Lines 25 - 32 show vault configuration including masked password for the vault (salted with ABCD1234 and iterated 95 times). This configuration can be directly pasted to our standalone.xml config file.

     

    VaultTool can be used to check whether our secured attribute exists in vault.

    vault.sh --keystore key.store --keystore-password secretsecret --alias Vault --check-sec-attr --vault-block vb --attribute jca-pass --enc-dir ./vault --iteration 95 --salt ABCD1234

    Here is the output of our command:

    =========================================================================
    
      JBoss Vault
    
      JBOSS_HOME: /home/pskopek/dev/wildfly/as/build/target/wildfly-9.0.0.Alpha1-SNAPSHOT
    
      JAVA: /opt/sun/jdk1.7.0_60/bin/java
    
    =========================================================================
    
    Aug 28, 2014 2:15:52 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
    INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
    WFLYSEC0080: Secured attribute (password) already exists.
    WFLYSEC0048: Vault Configuration in WildFly configuration file:
    ********************************************
    ...
    </extensions>
    <vault>
      <vault-option name="KEYSTORE_URL" value="key.store"/>
      <vault-option name="KEYSTORE_PASSWORD" value="MASK-1bHB.dZp5bUlvW46BM2Nfu"/>
      <vault-option name="KEYSTORE_ALIAS" value="Vault"/>
      <vault-option name="SALT" value="ABCD1234"/>
      <vault-option name="ITERATION_COUNT" value="95"/>
      <vault-option name="ENC_FILE_DIR" value="./vault/"/>
    </vault><management> ...
    ********************************************
    
    
    
    

     

    Let's remove the secured attribute from vault:

    vault.sh --keystore key.store --keystore-password secretsecret --alias Vault --remove-sec-attr --vault-block vb --attribute jca-pass --enc-dir ./vault --iteration 95 --salt ABCD1234

    Output:

    =========================================================================
    
      JBoss Vault
    
      JBOSS_HOME: /home/pskopek/dev/wildfly/as/build/target/wildfly-9.0.0.Alpha1-SNAPSHOT
    
      JAVA: /opt/sun/jdk1.7.0_60/bin/java
    
    =========================================================================
    
    Aug 28, 2014 2:17:31 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
    INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
    Secured attribute [vb::jca-pass] has been successfuly removed from vault
    
    

     

    Check already removed attribute:

    vault.sh --keystore key.store --keystore-password secretsecret --alias Vault --check-sec-attr --vault-block vb --attribute jca-pass --enc-dir ./vault --iteration 95 --salt ABCD1234

    Output:

    =========================================================================
    
      JBoss Vault
    
      JBOSS_HOME: /home/pskopek/dev/wildfly/as/build/target/wildfly-9.0.0.Alpha1-SNAPSHOT
    
      JAVA: /opt/sun/jdk1.7.0_60/bin/java
    
    =========================================================================
    
    Aug 28, 2014 2:18:01 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
    INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
    WFLYSEC0081: Secured attribute (password) doesn't exist.