2:05 p.m.
Anil Saldhana [http://community.jboss.org/people/anil.saldhana] created the discussion
"Re: AS7: Sensitive Attributes Masking"
To view the discussion, visit: http://community.jboss.org/message/624130#624130
--------------------------------------------------------------
The security schema in AS7.1 has a new vault element that can be used to configure the
attribute vault. An offline tool is needed to interact with the vault to store the
attributes. The AS is supposed to be a read only customer of the vault.
The proposal is to create bin/vault.sh (vault.bat) to interact with the default
implementation of the vault.
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/624130#624130]
Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4:25 p.m.
Anil Saldhana [http://community.jboss.org/people/anil.saldhana] created the discussion
"Re: AS7: Sensitive Attributes Masking"
To view the discussion, visit: http://community.jboss.org/message/627632#627632
--------------------------------------------------------------
**********************************
**** JBoss Vault ********
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2:
Exit
0
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or
Windows:/home/anil/vault/
Enter Keystore URL:/home/anil/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Password match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):50
Please make note of the following:
********************************************
Masked Password:MASK-5WNXs8oEbrs
salt:12345678
Iteration Count:50
********************************************
Enter Keystore Alias:vault
Sep 20, 2011 4:23:40 PM org.jboss.security.vault.SecurityVaultFactory get
INFO: Getting Security Vault with implementation of
org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Intializing Vault
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
0
Task: Store a password
Please enter attribute value:
Please enter attribute value again:
Password match
Enter Vault Block:messaging
Enter Attribute Name:pass
Attribute Value for (messaging, pass) saved
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
1
Task: Verify whether a password exists
Enter Vault Block:messaging
Enter Attribute Name:pass
A value exists for (messaging, pass)
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
2
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/627632#627632]
Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&...]
3:28 a.m.
Dmitri Voronov [http://community.jboss.org/people/dimonv] created the discussion
"Re: AS7: Sensitive Attributes Masking"
To view the discussion, visit: http://community.jboss.org/message/642169#642169
--------------------------------------------------------------
Hi all,
I'm currently trying to apply vault for DataSource' password in JBoss AS
7.1.0.Beta1 as described in Wiki http://community.jboss.org/docs/DOC-17248
http://community.jboss.org/wiki/JBossAS7SecuringPasswords but doesn't work. I get
following exception:
10:23:41,265 ERROR [org.jboss.as.controller] (ServerService Thread Pool -- 47) JBAS014612:
Operation ("enable") failed - address: ([
("subsystem" => "datasources"),
("data-source" => "java:jboss/jdbc/MSSQLDataSource-PROD")
]): java.lang.SecurityException: org.jboss.security.vault.SecurityVaultException: PB00027:
Vault Mismatch:Shared Key does not match for vault block:MSSQLDataSource and
attributeName:password
at
org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:98)
[jboss-as-server-7.1.0.Beta1.jar:]
at
org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45)
[jboss-as-server-7.1.0.Beta1.jar:]
at
org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:58)
[jboss-as-controller-7.1.0.Beta1.jar:]
...
My configuration:
I put vault configuration in standalone in the server scope:
| <vault> |
|
| | <vault-option name="KEYSTORE_URL"
value="C:/eplatform/jboss/AS-7.0/standalone/configuration/vault.keystore"/>
|
| | <vault-option name="KEYSTORE_PASSWORD"
value="MASK-8mj0bd6g0iq"/> |
| | <vault-option name="KEYSTORE_ALIAS" value="vault"/> |
| | <vault-option name="SALT" value="12345678"/> |
| | <vault-option name="ITERATION_COUNT" value="42"/> |
| | <vault-option name="ENC_FILE_DIR"
value="C:/eplatform/jboss/AS-7.0/standalone/data/"/> |
| </vault> |
|
and the DataSource' password value:
| <password> |
|
| |
${VAULT::MSSQLDataSource::password::MmUxNzU1MjgtYWM1Mi00MzZmLThlZTctZGIxNzE4ZGQ3ZWZlTElORV9CUkVBS3ZhdWx0}
|
| </password> |
|
Thanks and regards
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/642169#642169]
Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4:35 a.m.
Dmitri Voronov [http://community.jboss.org/people/dimonv] created the discussion
"Re: AS7: Sensitive Attributes Masking"
To view the discussion, visit: http://community.jboss.org/message/642415#642415
--------------------------------------------------------------
Hi,
I found out the origin: I had to complete the expression for password with semicolon (;)
But now I have another issue. At the moment I put <vault> config into server scope.
...
</extensions>
<vault>
...
</vault>
<management>
...
The server starts up, vault is initialized and the DS password is decrypted; everything
works. But JBoss configuration is dumped back to standalone.xml and <vault>
disappears:
<vault/>
Where shell I put <vault> configuration?
Thanks
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/642415#642415]
Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4702
days inactive
4813
days old
jboss-dev-forums@lists.jboss.org
3 comments
2 participants
participants (2)
-
Anil Saldhana -
Dmitri Voronov