[jboss-dev-forums] [JBoss AS 7 Development] - JBoss AS7 Securing Passwords

Anil Saldhana do-not-reply at jboss.com
Mon Mar 26 14:06:48 EDT 2012 

Anil Saldhana [https://community.jboss.org/people/anil.saldhana] modified the document:

"JBoss AS7 Securing Passwords"

To view the document, visit: https://community.jboss.org/docs/DOC-17248

--------------------------------------------------------------
This article will describe the capabilities available in JBoss AS7.1 with regard to securing sensitive attributes such as passwords.


For windows platform, refer to  https://community.jboss.org/docs/DOC-17763 https://community.jboss.org/wiki/AS7PasswordVaultOnWindows

** 
 #What_is_needed What is needed?


** 
 #Process Process


*** 
 #Step_1_Create_a_Java_KeyStore Step 1:  Create a Java KeyStore


*** 
 #Step_2_Use_the_Vault_Tool_scripts_to_store_a_password_in_the_vault Step 2: Use the Vault Tool scripts to store a password in the vault


*** 
 #Step_3_Configure_the_attributes_in_your_xml_such_as_standalonexml_and_hostxml Step 3:   Configure the attributes in your xml such as standalone.xml and host.xml


** 
 #Guidance_for_subsystems_seeking_passwords_in_AS7 Guidance for subsystems seeking passwords in AS7


** 
 #Frequently_Asked_Questions Frequently Asked Questions:


***** 
 #How_secure_is_this How secure is this?


***** 
 #Can_I_really_secure_the_keystore Can I really secure the keystore?


***** 
 #I_lost_the_vault_formatted_string_for_my_attribute I lost the vault formatted string for my attribute?


***** 
 #Can_I_do_all_this_from_the_UI Can I do all this from the UI?


***** 
 #Show_me_how_to_do_this_on_Windows Show me how to do this on Windows.


***** 
 #Please_give_me_an_example Please give me an example.




h2. What is needed?
1. Java KeyStore.
2. Scripts provided in the bin directory of JBoss AS 7 .1 (vault.sh etc)

h2. 
h2. Process
h3. 
h3. Step 1:  Create a Java KeyStore

$ keytool -genkey -alias vault -keyalg RSA -keysize 1024  -keystore vault.keystore
Enter keystore password: vault22 
Re-enter new password:vault22 
What is your first and last name?
  [Unknown]:  Picketbox vault
What is the name of your organizational unit?
  [Unknown]:  picketbox
What is the name of your organization?
  [Unknown]:  JBoss
What is the name of your City or Locality?
  [Unknown]:  chicago
What is the name of your State or Province?
  [Unknown]:  il
What is the two-letter country code for this unit?
  [Unknown]:  us
Is CN=Picketbox vault, OU=picketbox, O=JBoss, L=chicago, ST=il, C=us correct?
  [no]:  yes

Enter key password for <vault>
        (RETURN if same as keystore password):  



It is important to keep track of the keystore password and the alias.  In this example, the keystore password is "vault22" and the alias is "vault".

h3. Step 2: Use the Vault Tool scripts to store a password in the vault

/bin/util$ ./vault.sh 
=========================================================================

  JBoss Vault

  JBOSS_HOME: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT

  JAVA: /opt/java/jdk1.6.0_23/bin/java

  VAULT Classpath: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/picketbox/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/logging/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/common-core/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/as/security/main/*
=========================================================================

**********************************
****  JBoss Vault ********
**********************************
Please enter a Digit::   0: Start Interactive Session  1: Remove Interactive Session  2: Exit
0
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/
Enter Keystore URL:/home/anil/vault/vault.keystore
Enter Keystore password: 
Enter Keystore password again: 
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):50

Please make note of the following:
********************************************
Masked Password:MASK-5WNXs8oEbrs
salt:12345678
Iteration Count:50
********************************************

Enter Keystore Alias:vault
Sep 28, 2011 11:48:39 AM org.jboss.security.vault.SecurityVaultFactory get
INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Intializing Vault
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
0
Task:  Store a password
Please enter attribute value: 
Please enter attribute value again: 
Values match
Enter Vault Block:ds_ExampleDS
Enter Attribute Name:password
Attribute Value for (ds_ExampleDS, password) saved

Please make note of the following:
********************************************
Vault Block:ds_ExampleDS
Attribute Name:password
Shared Key:N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
Configuration should be done as follows:
VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
********************************************

Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
2



h3. Step 3:   Configure the attributes in your xml such as standalone.xml and host.xml
h3. 
<server xmlns="urn:jboss:domain:1.1">

  <extensions>
     ...
  </extensions>
  <vault>
      <vault-option name="KEYSTORE_URL" value="/home/anil/vault/vault.keystore"/>
      <vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/>
      <vault-option name="KEYSTORE_ALIAS" value="vault"/>
      <vault-option name="SALT" value="12438567"/>
      <vault-option name="ITERATION_COUNT" value="50"/>
      <vault-option name="ENC_FILE_DIR" value="${user.home}/vault/"/>
    </vault>
   ...
  <subsystem xmlns="urn:jboss:domain:datasources:1.0">
            <datasources>
                <datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
                    <driver>h2</driver>
                    <pool></pool>
                    <security>
                        <user-name>sa</user-name>
                        <password>${VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}</password>
                    </security>
                </datasource>
                <drivers>
                    <driver name="h2" module="com.h2database.h2">
                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                    </driver>
                </drivers>
            </datasources>
        </subsystem>




Note previously, the datasource password would have been:

 <security>
     <user-name>sa</user-name>
    <password>sa</password>
</security>

h2. 
h2. Guidance for subsystems seeking passwords in AS7

The server module in JBoss AS7 workspace has a class called as VaultUtil which has methods for you to seamlessly pass the vault formatted string to get the password from the vault.


I am posting the integration done in org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService
Note that do not seek the password from the vault during the xml parsing phase because the vault has not been initialized and ready. It has to be done in the services phase when you actually do something with the configured elements of your subsystem.

In the case of JCA datasource integration, we do it in AbstractDataSourceService

import org.jboss.as.server.services.security.VaultUtil;
import org.jboss.security.vault.SecurityVaultException;
 
final DsSecurity security = dataSourceConfig.getSecurity();
            if (security != null) {
                if (security.getUserName() != null) {
                    managedConnectionFactory.setUserName(security.getUserName());
                }
                if (security.getPassword() != null) {
                    String password = security.getPassword();
                    if (VaultUtil.isVaultFormat(password)) {
                        try {
                            password = VaultUtil.getValueAsString(password);
                        } catch (SecurityVaultException e) {
                            throw new RuntimeException(e); // TODO: use bundle from IJ
                        }
                    }
                    managedConnectionFactory.setPassword(password);
                }
            }
 


We do not want to make the configuration of the vault formatted string to be very difficult. As long as the formatted string is prefixed with VAULT::,  the vault will be invoked.  Custom implementations of the vault should consider the last token for any configuration.

If you are using the AttributeDefinition classes the vaulted expression will be automatically resolved when calling AttributeDefiniton.resolveModelAttribute(). If you are not using AttributeDefinition you need to call OperationContext.resolveExpression() yourself as this example from DataSourceModelNodeUtil

> ...
> *final* String password = +getResolvedStringIfSetOrGetDefault+(operationContext, dataSourceNode, +PASSWORD+, *null*);
> ...
> 
> *private* *static* String getResolvedStringIfSetOrGetDefault(*final* OperationContext context, *final* ModelNode dataSourceNode, *final* SimpleAttributeDefinition key, *final* String defaultValue) {
> *if* (dataSourceNode.hasDefined(key.getName())) {
> *return* context.resolveExpressions(dataSourceNode.get(key.getName())).asString();
>         } *else* {
> *return* defaultValue;
>         }
>     }
> 
h2. 


h2. Frequently Asked Questions:
* h5. How secure is this?
* The default implementation of the vault utlizes a Java KeyStore. Its configuration uses Password Based Encryption, which is security by obscurity.
* Ideally, 3rd party ISV robust implementations of Vaults should provide the necessary security.

* h5. Can I really secure the keystore?
* You can store the keystore on an USB or an encrypted secure usb or such. 
* When the server starts, insert the USB. On successful start, you can remove the USB.

* h5. I lost the vault formatted string for my attribute?
* Just reinsert the attribute value in the vault to overrwrite what was previously stored. You will get a new formatted string to insert in the xml.

* h5. Can I do all this from the UI?
* Hopefully with time, we can get this integrated into the console.


* h5. *Show me how to do this on Windows.*
*  https://community.jboss.org/docs/DOC-17763 https://community.jboss.org/wiki/AS7PasswordVaultOnWindows

* h5. Please give me an example.
*  https://community.jboss.org/docs/DOC-17472 https://community.jboss.org/wiki/AS7UtilisingMaskedPasswordsViaTheVault
*  https://community.jboss.org/docs/DOC-17503 https://community.jboss.org/docs/DOC-17503
--------------------------------------------------------------

Comment by going to Community
[https://community.jboss.org/docs/DOC-17248]

Create a new document in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2225]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120326/ca1972fb/attachment.html

More information about the jboss-dev-forums mailing list