JBoss Password Vault is tool to store and retrive encrypted passwords. It´s based in a keystore (which contains a private key) used to encrypt passwords, and a data file to store them. Check
JBoss development guide for more info.
When working with JBoss, you can configure your Vault with a tool also provided, and the you only need to reference a set of configuration from standalone.xml/domain.xml files. Then, you can store new passwords in the Vault, being each of them referenced by a string in the format "Vault::XXXX:YYYY:n". Any time you need to use these passwords you can place them in JBoss config files (with ${}) or inside your EAR/WARs and by decrypting them manually with
SecurityVault. JBoss uses
picketbox in order to encrypt/decrypt these passwords.
When you configure JBoss Vault you begin with a keystore file, specify some configuration values, and obtains an store data file. All these stuff are then referenced in JBoss by an xml snippet, as described in the development guide.
I put here the steps in order to create the keystore, configure the Vault, and store a new password in it:
1) Create the keystore:
keytool -genseckey -alias jboss -storetype jceks -keyalg AES -keysize 128 -storepass 123456 -keypass 123456 -validity 999 -keystore vault(123456).keystore
2) Configure the Vault:
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files:C:/Servers/jboss-eap-6.4/VAULT/
Enter Keystore URL:C:/Servers/jboss-eap-6.4/VAULT/vault(123456).keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:1234abcd
Enter iteration count as a number (Eg: 44):100
Enter Keystore Alias:jboss
Initializing Vault
ago 11, 2017 12:56:53 PM org.jboss.security.vault.SecurityVaultFactory secondVaultInfo
WARN: PBOX000378: Attempt to create the second Security Vault [org.picketbox.plugins.vault.PicketBoxSecurityVault] is invalid. Only one Security Vault is supported. Change your configuration, please.
ago 11, 2017 12:56:53 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in configuration file:
********************************************
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="C:/Servers/jboss-eap-6.4/VAULT/vault(123456).keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-AwOVVL6T7qb"/>
<vault-option name="KEYSTORE_ALIAS" value="jboss"/>
<vault-option name="SALT" value="1234abcd"/>
<vault-option name="ITERATION_COUNT" value="100"/>
<vault-option name="ENC_FILE_DIR" value="C:/Servers/jboss-eap-6.4/VAULT/"/>
</vault><management> ...
********************************************
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit
3) Store a new password:
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit
0
Task: Store a secured attribute
Please enter secured attribute value (such as password):
Please enter secured attribute value (such as password) again:
Values match
Enter Vault Block:Pruebas
Enter Attribute Name:pass1
Secured attribute value has been stored in vault.
Please make note of the following:
********************************************
Vault Block:Pruebas
Attribute Name:pass1
Configuration should be done as follows:
VAULT::Pruebas::pass1::1
********************************************
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit
The question here is
how to use JBoss Vault outside JBoss. I mean, I have a JBoss Vault used by a JBoss Domain, and I also have an standalone java application which needs to use enrypted passwods. By customer requirements, this application must use JBoss Vault in order to retrive these passwords values.
In order to do that, you can use the following java utility:
import java.util.HashMap;
import java.util.Map;
import org.jboss.security.vault.SecurityVault;
import org.jboss.security.vault.SecurityVaultException;
import org.jboss.security.vault.SecurityVaultFactory;
import org.jboss.security.vault.SecurityVaultUtil;
import org.picketbox.plugins.vault.PicketBoxSecurityVault;
public class Main {
public static void main(final String[] args) throws SecurityVaultException {
final SecurityVault vault = SecurityVaultFactory.get();
if (!vault.isInitialized()) {
final Map<String, Object> optionsInitVault = new HashMap<String, Object>();
optionsInitVault.put(PicketBoxSecurityVault.KEYSTORE_URL, "C:/Servers/jboss-eap-6.4/VAULT/vault(123456).keystore");
optionsInitVault.put(PicketBoxSecurityVault.KEYSTORE_PASSWORD, "MASK-AwOVVL6T7qb");
optionsInitVault.put(PicketBoxSecurityVault.KEYSTORE_ALIAS, "jboss");
optionsInitVault.put(PicketBoxSecurityVault.KEYSTORE_TYPE, "jceks");
optionsInitVault.put(PicketBoxSecurityVault.SALT, "1234abcd");
optionsInitVault.put(PicketBoxSecurityVault.ITERATION_COUNT, "100");
optionsInitVault.put(PicketBoxSecurityVault.ENC_FILE_DIR, "C:/Servers/jboss-eap-6.4/VAULT/");
vault.init(optionsInitVault);
}
final String textoCifrado = "VAULT::Pruebas::pass1::1";
if (!SecurityVaultUtil.isVaultFormat(textoCifrado)) {
System.out.println("La cadena no está cifrada. Se ha introducido un valor en claro");
}
else {
System.out.println(SecurityVaultUtil.getValueAsString(textoCifrado));
}
}
}
As you see, the standalone application will need to know the parameters used to create the Vault, and also will need access to the keystore and data store file.
Maven dependencies, assuming
JBoss EAP 6.4, are as follow:
<dependency>
<groupId>org.picketbox</groupId>
<artifactId>picketbox</artifactId>
<version>4.1.1.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
<version>3.1.4.GA</version>
</dependency>
