Masking Passwords in JBossAS XML Configuration

    Return to JBoss AS Security Dashboard <<<

     

     

     

     

    DZone: http://server.dzone.com/articles/security-features-jboss-510-0

     

    Background

    Nobody likes the idea of seeing passwords in the open in an xml file.  In JBoss AS, we have various mechanisms by which passwords can be masked in the xml file. This document will act as a single stop reference to the various mechanisms.

     

    Other Information

    1. Encrypting Data Source Passwords
    2. Encrypting Keystore Password in Tomcat Connector
    3. Encrypting Ldap Password in the LdapExtLoginModule
    4. JBoss AS/JBossMC: Adding secure behavior to POJOs

     

    Masking password attributes in JBoss Microcontainer Bean definitions

    JIRA : https://jira.jboss.org/jira/browse/JBAS-6710

     

    Availability:  JBoss AS 5.1 onwards

     

    Steps to perform

    Generate a keystore first (follow the DZone article above).

     

    1. Use the Password Tool (mentioned below).
    2. Configure the @Password annotation on the MC beans that you are interested in masking the password. Example is provided below.

     

     

    Password Tool

    There is a command line tool that can be used for centralized password management.  The script is located in the bin directory. Remember that you can use the tool in the bin directory and the server configurations (default, all etc) can make use of the files that are generated by this tool.

     

    =============================================

    anil@localhost:~/jboss-6.0/jboss-head/build/output/jboss-6.0.0.Alpha1/bin$ ./password_tool.sh
    **********************************
    ****  JBoss Password Tool********
    **********************************
    Error while trying to load data:Encrypted password file not located
    Maybe it does not exist and need to be created.
    0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 4:Enquire Domain 5:Exit

    0
    Enter Keystore password
    testpass
    Enter Salt (String should be at least 8 characters)
    AnyStringThatIsLong
    Enter Iterator Count (integer value)
    111
    Keystore Password encrypted into password/jboss_keystore_pass.dat

     

    Loading domains [
    ]
    0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 4:Enquire Domain 5:Exit
    2
    Enter security domain:
    messaging
    Enter passwd:
    myPass
    0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 4:Enquire Domain 5:Exit
    5
    org.jboss.security.integration.password.PasswordTool$ShutdownHook run called
    Storing domains [
    messaging,
    ]

    =====================================================================

     

    Configure the MC Beans

     

    You will need to add an annotation to the bean definition.  Lets take the example of JBoss Messaging SecurityStore MC Bean defined in deploy/messaging/messaging-jboss-beans.xml

     

    Before:

     <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
          <!-- default security configuration -->
          <property name="defaultSecurityConfig">
             <![CDATA[
                <security>
                   <role name="guest" read="true" write="true" create="true"/>
                </security>
             ]]>
          </property>
          <property name="suckerPassword">CHANGE ME!!</property>
          <property name="securityDomain">messaging</property>
          <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
    </bean>
    

     

    After:

     

     <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
          <!-- default security configuration -->
          <property name="defaultSecurityConfig">
             <![CDATA[
                <security>
                   <role name="guest" read="true" write="true" create="true"/>
                </security>
             ]]>
          </property>
          <property name="securityDomain">messaging</property>
          <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
          <!-- Password Annotation to inject the password from the common password
            utility -->
          <annotation>@org.jboss.security.integration.password.Password(securityDomain="messaging",
    methodName="setSuckerPassword")</annotation>    
       </bean>
    

    As you can see, you have removed the attribute called as "suckerPassword"   and introduced an MC annotation called as @Password whose configuration includes the security domain as well the MC bean property where the password needs to be injected.


    Additional Information

    The Keystore that is provided was created as follows.

    $ keytool -genkey -alias jboss -keyalg RSA -keysize1024  -keystore server.keystore
    Enter keystore password:  testpass
    What is your first and last name?
      [Unknown]:  JBoss Security
    What is the name of your organizational unit?
      [Unknown]:  JBoss Division
    What is the name of your organization?
      [Unknown]:  Red Hat Inc
    What is the name of your City or Locality?
      [Unknown]:  Raleigh
    What is the name of your State or Province?
      [Unknown]:  NC
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=JBoss Security, OU=JBoss Division, O=Red Hat Inc, L=Raleigh, ST=NC, C=US correct?
      [no]:  yes
    
    Enter key password for <jboss>
            (RETURN if same as keystore password):
    

     

     

    Testcase in JBoss AS

    Caveat: Remove the jboss-*.dat files from your JBAS/bin/password folder before running this test. Do this only if the test fails.

    anil@localhost:~/jboss-6.0/jboss-head/testsuite$  ant tests-password-mask
    
    tests-password-mask:
         [echo] creating password-mask config
         [echo] Overwriting config descriptors
         [copy] Copying 3 files to /home/anil/jboss-6.0/jboss-head/build/output/jboss-6.0.0.Alpha1/server/password-mask
    [server:start] Starting server "password-mask", with command (start timeout is 120 seconds ):
    [server:start] /opt/java/jdk1.5.0_18/bin/java -cp /home/anil/jboss-6.0/jboss-head/build/output/jboss-6.0.0.Alpha1/bin/run.jar:/opt/java/jdk1.5.0_18/lib/tools.jar -Xms128m -Xmx256m -XX:MaxPermSize=512m  -Djava.net.preferIPv4Stack=true -Djava.endorsed.dirs=/home/anil/jboss-6.0/jboss-head/build/output/jboss-6.0.0.Alpha1/lib/endorsed -Djboss.server.log.threshold=DEBUG org.jboss.Main -c password-mask -b localhost -g DefaultPartition
    [server:start] Server started.
         [echo] Starting patternset=password.mask.includes config=PASSWORD_MASK
        [junit] Running org.jboss.test.passwordinjection.test.PasswordInjectionUnitTestCase
        [junit] Running org.jboss.test.passwordinjection.test.PasswordInjectionUnitTestCase
        [junit] Tests run: 1, Failures: 0, Errors: 0, Time elapsed: 1.578 sec
    [server:stop] Shutting down server: password-mask
    [server:stop] shutdownTimeout will be=45
    [server:stop] Server stopped.
    
    BUILD SUCCESSFUL
    Total time: 51 seconds
    

    The test case uses a security domain of "test-bean" that has been populated in the password encrypted file using the password tool and provided under the conf directory of the server/password-mask server configuration.