<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
JBoss AS7 Securing Passwords
</h3>
<span style="margin-bottom: 10px;">
created by <a href="http://community.jboss.org/people/anil.saldhana">Anil Saldhana</a> in <i>JBoss AS7 Development</i> - <a href="http://community.jboss.org/docs/DOC-17248">View the full document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>This article will describe the capabilities available in JBoss AS7.1 (in development) with regard to securing sensitive attributes such as passwords.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h2>What is needed?</h2><ol><li style="text-align: start;"><p>Java KeyStore.</p></li><li style="text-align: start;">Scripts provided in the bin/util directory of JBoss AS 7 .1 (vault.sh etc)</li></ol><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h2 style="text-align: start;"></h2><h2 style="text-align: start;">Process</h2><h3 style="text-align: start;"></h3><h3 style="text-align: start;">Step 1:  Create a Java KeyStore</h3><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code">$ keytool -genkey -alias vault -keyalg RSA -keysize 1024  -keystore vault.keystore
Enter keystore password: vault22
Re-enter new password:vault22
What is your first and last name?
  [Unknown]:  Picketbox vault
What is the name of your organizational unit?
  [Unknown]:  picketbox
What is the name of your organization?
  [Unknown]:  JBoss
What is the name of your City or Locality?
  [Unknown]:  chicago
What is the name of your State or Province?
  [Unknown]:  il
What is the two-letter country code for this unit?
  [Unknown]:  us
Is CN=Picketbox vault, OU=picketbox, O=JBoss, L=chicago, ST=il, C=us correct?
  [no]:  yes
Enter key password for <vault>
        (RETURN if same as keystore password): 
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>It is important to keep track of the keystore password and the alias.  In this example, the keystore password is "vault22" and the alias is "vault".</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h3 style="text-align: start;">Step 2: Use the Vault Tool scripts to store a password in the vault</h3><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code">/bin/util$ ./vault.sh
=========================================================================
  JBoss Vault
  JBOSS_HOME: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT
  JAVA: /opt/java/jdk1.6.0_23/bin/java
  VAULT Classpath: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/picketbox/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/logging/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/common-core/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/as/security/main/*
=========================================================================
**********************************
****  JBoss Vault ********
**********************************
Please enter a Digit::   0: Start Interactive Session  1: Remove Interactive Session  2: Exit
0
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/
Enter Keystore URL:/home/anil/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):50
Please make note of the following:
********************************************
Masked Password:MASK-5WNXs8oEbrs
salt:12345678
Iteration Count:50
********************************************
Enter Keystore Alias:vault
Sep 28, 2011 11:48:39 AM org.jboss.security.vault.SecurityVaultFactory get
INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Intializing Vault
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
0
Task:  Store a password
Please enter attribute value:
Please enter attribute value again:
Values match
Enter Vault Block:ds_ExampleDS
Enter Attribute Name:password
Attribute Value for (ds_ExampleDS, password) saved
Please make note of the following:
********************************************
Vault Block:ds_ExampleDS
Attribute Name:password
Shared Key:N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
Configuration should be done as follows:
VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
********************************************
Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
2
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h3>Step 3:   Configure the attributes in your xml such as standalone.xml and host.xml</h3><h3></h3><pre class="jive-pre"><code class="jive-code"><server xmlns="urn:jboss:domain:1.1">
  <extensions>
     ...
  </extensions>
  <vault>
      <vault-option name="KEYSTORE_URL" value="/home/anil/vault/vault.keystore"/>
      <vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/>
      <vault-option name="KEYSTORE_ALIAS" value="vault"/>
      <vault-option name="SALT" value="12438567"/>
      <vault-option name="ITERATION_COUNT" value="50"/>
      <vault-option name="ENC_FILE_DIR" value="${user.home}/vault/"/>
    </vault>
   ...
  <subsystem xmlns="urn:jboss:domain:datasources:1.0">
            <datasources>
                <datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
                    <driver>h2</driver>
                    <pool></pool>
                    <security>
                        <user-name>sa</user-name>
                        <password>VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0</password>
                    </security>
                </datasource>
                <drivers>
                    <driver name="h2" module="com.h2database.h2">
                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                    </driver>
                </drivers>
            </datasources>
        </subsystem>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="text-align: start;">Note previously, the datasource password would have been:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code"> <security>
     <user-name>sa</user-name>
    <password>sa</password>
</security></code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h2></h2><h5>Frequently Asked Questions:</h5><ul><li style="text-align: start;"><h5>How secure is this?</h5><ul><li style="text-align: start;">The default implementation of the vault utlizes a Java KeyStore. Its configuration uses Password Based Encryption, which is security by obscurity.</li><li style="text-align: start;">Ideally, 3rd party ISV robust implementations of Vaults should provide the necessary security.</li></ul></li><li style="text-align: start;"><h5>Can I really secure the keystore?</h5><ul><li style="text-align: start;"><p>You can store the keystore on an USB or an encrypted secure usb or such. </p></li><li style="text-align: start;"><p>When the server starts, insert the USB. On successful start, you can remove the USB.</p></li></ul></li><li style="text-align: start;"><h5>I lost the vault formatted string for my attribute?</h5><ul><li style="text-align: start;"><p>Just reinsert the attribute value in the vault to overrwrite what was previously stored. You will get a new formatted string to insert in the xml.</p></li></ul></li><li style="text-align: start;"><h5>Can I do all this from the UI?</h5><ul><li style="text-align: start;">Hopefully with time, we can get this integrated into the console.</li></ul></li></ul></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Comment by <a href="http://community.jboss.org/docs/DOC-17248">going to Community</a></p>
<p style="margin: 0;">Create a new document in JBoss AS7 Development at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2225">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>