When working with JBoss, you can configure your Vault with a tool also provided, and the you only need to reference a set of configuration from standalone.xml/domain.xml files. Then, you can store new passwords in the Vault, being each of them referenced by a string in the format "Vault::XXXX:YYYY:n". Any time you need to use these passwords you can place them in JBoss config files (with ${}) or inside your EAR/WARs and by decrypting them manually with SecurityVault. JBoss uses picketbox in order to encrypt/decrypt these passwords.
When you configure JBoss Vault you begin with a keystore file, specify some configuration values, and obtains an store data file. All these stuff are then referenced in JBoss by an xml snippet, as described in the development guide.
I put here the steps in order to create the keystore, configure the Vault, and store a new password in it:
1) Create the keystore:
keytool -genseckey -alias jboss -storetype jceks -keyalg AES -keysize 128 -storepass 123456 -keypass 123456 -validity 999 -keystore vault(123456).keystore
2) Configure the Vault:
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit 0 Starting an interactive session Enter directory to store encrypted files:C:/Servers/jboss-eap-6.4/VAULT/ Enter Keystore URL:C:/Servers/jboss-eap-6.4/VAULT/vault(123456).keystore Enter Keystore password: Enter Keystore password again: Values match Enter 8 character salt:1234abcd Enter iteration count as a number (Eg: 44):100 Enter Keystore Alias:jboss Initializing Vault ago 11, 2017 12:56:53 PM org.jboss.security.vault.SecurityVaultFactory secondVaultInfo WARN: PBOX000378: Attempt to create the second Security Vault [org.picketbox.plugins.vault.PicketBoxSecurityVault] is invalid. Only one Security Vault is supported. Change your configuration, please. ago 11, 2017 12:56:53 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready Vault Configuration in configuration file: ******************************************** ... </extensions> <vault> <vault-option name="KEYSTORE_URL" value="C:/Servers/jboss-eap-6.4/VAULT/vault(123456).keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-AwOVVL6T7qb"/> <vault-option name="KEYSTORE_ALIAS" value="jboss"/> <vault-option name="SALT" value="1234abcd"/> <vault-option name="ITERATION_COUNT" value="100"/> <vault-option name="ENC_FILE_DIR" value="C:/Servers/jboss-eap-6.4/VAULT/"/> </vault><management> ... ******************************************** Vault is initialized and ready for use Handshake with Vault complete Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit
3) Store a new password:
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit 0 Task: Store a secured attribute Please enter secured attribute value (such as password): Please enter secured attribute value (such as password) again: Values match Enter Vault Block:Pruebas Enter Attribute Name:pass1 Secured attribute value has been stored in vault. Please make note of the following: ******************************************** Vault Block:Pruebas Attribute Name:pass1 Configuration should be done as follows: VAULT::Pruebas::pass1::1 ******************************************** Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit
The question here is how to use JBoss Vault outside JBoss. I mean, I have a JBoss Vault used by a JBoss Domain, and I also have an standalone java application which needs to use enrypted passwods. By customer requirements, this application must use JBoss Vault in order to retrive these passwords values.
In order to do that, you can use the following java utility:
import java.util.HashMap;
import java.util.Map;
import org.jboss.security.vault.SecurityVault;
import org.jboss.security.vault.SecurityVaultException;
import org.jboss.security.vault.SecurityVaultFactory;
import org.jboss.security.vault.SecurityVaultUtil;
import org.picketbox.plugins.vault.PicketBoxSecurityVault;
public class Main {
public static void main(final String[] args) throws SecurityVaultException {
final SecurityVault vault = SecurityVaultFactory.get();
if (!vault.isInitialized()) {
final Map<String, Object> optionsInitVault = new HashMap<String, Object>();
optionsInitVault.put(PicketBoxSecurityVault.KEYSTORE_URL, "C:/Servers/jboss-eap-6.4/VAULT/vault(123456).keystore");
optionsInitVault.put(PicketBoxSecurityVault.KEYSTORE_PASSWORD, "MASK-AwOVVL6T7qb");
optionsInitVault.put(PicketBoxSecurityVault.KEYSTORE_ALIAS, "jboss");
optionsInitVault.put(PicketBoxSecurityVault.KEYSTORE_TYPE, "jceks");
optionsInitVault.put(PicketBoxSecurityVault.SALT, "1234abcd");
optionsInitVault.put(PicketBoxSecurityVault.ITERATION_COUNT, "100");
optionsInitVault.put(PicketBoxSecurityVault.ENC_FILE_DIR, "C:/Servers/jboss-eap-6.4/VAULT/");
vault.init(optionsInitVault);
}
final String textoCifrado = "VAULT::Pruebas::pass1::1";
if (!SecurityVaultUtil.isVaultFormat(textoCifrado)) {
System.out.println("La cadena no está cifrada. Se ha introducido un valor en claro");
}
else {
System.out.println(SecurityVaultUtil.getValueAsString(textoCifrado));
}
}
}
As you see, the standalone application will need to know the parameters used to create the Vault, and also will need access to the keystore and data store file.
Maven dependencies, assuming JBoss EAP 6.4, are as follow:
<dependency> <groupId>org.picketbox</groupId> <artifactId>picketbox</artifactId> <version>4.1.1.Final</version> </dependency> <dependency> <groupId>org.jboss.logging</groupId> <artifactId>jboss-logging</artifactId> <version>3.1.4.GA</version> </dependency>
No hay comentarios:
Publicar un comentario