[JBoss AS7 Development] - JBoss AS7 Securing Passwords
by Kabir Khan
Kabir Khan [http://community.jboss.org/people/kabirkhan] modified the document:
"JBoss AS7 Securing Passwords"
To view the document, visit: http://community.jboss.org/docs/DOC-17248
--------------------------------------------------------------
This article will describe the capabilities available in JBoss AS7.1 (in development) with regard to securing sensitive attributes such as passwords.
h2. What is needed?
1. Java KeyStore.
2. Scripts provided in the bin/util directory of JBoss AS 7 .1 (vault.sh etc)
h2.
h2. Process
h3.
h3. Step 1: Create a Java KeyStore
$ keytool -genkey -alias vault -keyalg RSA -keysize 1024 -keystore vault.keystore
Enter keystore password: vault22
Re-enter new password:vault22
What is your first and last name?
[Unknown]: Picketbox vault
What is the name of your organizational unit?
[Unknown]: picketbox
What is the name of your organization?
[Unknown]: JBoss
What is the name of your City or Locality?
[Unknown]: chicago
What is the name of your State or Province?
[Unknown]: il
What is the two-letter country code for this unit?
[Unknown]: us
Is CN=Picketbox vault, OU=picketbox, O=JBoss, L=chicago, ST=il, C=us correct?
[no]: yes
Enter key password for <vault>
(RETURN if same as keystore password):
It is important to keep track of the keystore password and the alias. In this example, the keystore password is "vault22" and the alias is "vault".
h3. Step 2: Use the Vault Tool scripts to store a password in the vault
/bin/util$ ./vault.sh
=========================================================================
JBoss Vault
JBOSS_HOME: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT
JAVA: /opt/java/jdk1.6.0_23/bin/java
VAULT Classpath: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/picketbox/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/logging/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/common-core/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/as/security/main/*
=========================================================================
**********************************
**** JBoss Vault ********
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/
Enter Keystore URL:/home/anil/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):50
Please make note of the following:
********************************************
Masked Password:MASK-5WNXs8oEbrs
salt:12345678
Iteration Count:50
********************************************
Enter Keystore Alias:vault
Sep 28, 2011 11:48:39 AM org.jboss.security.vault.SecurityVaultFactory get
INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Intializing Vault
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
0
Task: Store a password
Please enter attribute value:
Please enter attribute value again:
Values match
Enter Vault Block:ds_ExampleDS
Enter Attribute Name:password
Attribute Value for (ds_ExampleDS, password) saved
Please make note of the following:
********************************************
Vault Block:ds_ExampleDS
Attribute Name:password
Shared Key:N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
Configuration should be done as follows:
VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
********************************************
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
2
h3. Step 3: Configure the attributes in your xml such as standalone.xml and host.xml
h3.
<server xmlns="urn:jboss:domain:1.1">
<extensions>
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/anil/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12438567"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="${user.home}/vault/"/>
</vault>
...
<subsystem xmlns="urn:jboss:domain:datasources:1.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
<driver>h2</driver>
<pool></pool>
<security>
<user-name>sa</user-name>
<password>${VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
Note previously, the datasource password would have been:
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
h2.
h2. Guidance for subsystems seeking passwords in AS7
The server module in JBoss AS7 workspace has a class called as VaultUtil which has methods for you to seamlessly pass the vault formatted string to get the password from the vault.
I am posting the integration done in org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService
Note that do not seek the password from the vault during the xml parsing phase because the vault has not been initialized and ready. It has to be done in the services phase when you actually do something with the configured elements of your subsystem.
In the case of JCA datasource integration, we do it in AbstractDataSourceService
import org.jboss.as.server.services.security.VaultUtil;
import org.jboss.security.vault.SecurityVaultException;
final DsSecurity security = dataSourceConfig.getSecurity();
if (security != null) {
if (security.getUserName() != null) {
managedConnectionFactory.setUserName(security.getUserName());
}
if (security.getPassword() != null) {
String password = security.getPassword();
if (VaultUtil.isVaultFormat(password)) {
try {
password = VaultUtil.getValueAsString(password);
} catch (SecurityVaultException e) {
throw new RuntimeException(e); // TODO: use bundle from IJ
}
}
managedConnectionFactory.setPassword(password);
}
}
We do not want to make the configuration of the vault formatted string to be very difficult. As long as the formatted string is prefixed with VAULT::, the vault will be invoked. Custom implementations of the vault should consider the last token for any configuration.
h2.
h5. Frequently Asked Questions:
* h5. How secure is this?
* The default implementation of the vault utlizes a Java KeyStore. Its configuration uses Password Based Encryption, which is security by obscurity.
* Ideally, 3rd party ISV robust implementations of Vaults should provide the necessary security.
* h5. Can I really secure the keystore?
* You can store the keystore on an USB or an encrypted secure usb or such.
* When the server starts, insert the USB. On successful start, you can remove the USB.
* h5. I lost the vault formatted string for my attribute?
* Just reinsert the attribute value in the vault to overrwrite what was previously stored. You will get a new formatted string to insert in the xml.
* h5. Can I do all this from the UI?
* Hopefully with time, we can get this integrated into the console.
--------------------------------------------------------------
Comment by going to Community
[http://community.jboss.org/docs/DOC-17248]
Create a new document in JBoss AS7 Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=102&co...]
12 years, 6 months
[JBoss AS7 Development] - Subsystem Development Conventions
by Stan Silvert
Stan Silvert [http://community.jboss.org/people/ssilvert] modified the document:
"Subsystem Development Conventions"
To view the document, visit: http://community.jboss.org/docs/DOC-17346
--------------------------------------------------------------
There are a number of common problems that a subsystem developer will run into. This document is an attempt to convey the best recommended practices and common conventions that other subsystems follow. Following these will make it easier for UI tools to be developed since everything works according to a similar set of rules.
h3. Use Resources Over Complex Attributes
It is much easier for UI tools to handle a small set of simple operations (add/remove/write) with simple attributes than it is to handle a monolothic resource with complex nested attributes. It also offers more flexibility in runtime updates. For example, it may be possible to increase the max thread size of a pool without restarting and replacing the entire pool. The rule of thumb is to keep creating resources until you hit primitives.
There is of course exceptions. For example,If the configuration contains an ordered list of which there is no unique name, a resource does not fit well. In this case a complex list type is unavoidable. However in such a scenario a set of "helper" operations should be created (e.g. add-foo). But in this case, write-attribute must still be made available for updating the entire list at once.
In some cases it may not be clear how to model a nested child as a resource because it does not have a key->value name which is required. When this happens, you will need to come up with a new naming convention that fits the key/value model yet is still based on the original notion. For example a subsystem that has a foo, and a foo-expanded can change those names to be something like foo=classic and foo=expanded.
h3. Make All Attributes Writable
Anything that can be edited in an xml file *MUST* be writable at runtime. It is possible, however, that modifying such a value can not be done "hot" at runtime, in which case forcing the server to reload or restart is the appropriate action (See ReloadRequiredWriteAttributeHandler)
h3. Make ADD Smart, Don't Expose "Activate" Operations
The common problem is that during boot, or during a composite operation, the parent ADD happens BEFORE a child node ADD. Therefore it's runtime handler is called first. The proper way to deal with this situation is to have the parent add operation add a new "step" runtime handler to make the actual changes. This step will automatically run after all of the ones before it (the children), and so it will be able to read the various child resources that are needed.
h3. Use SimpleResourceDefinition and *AttributeDefinition
These automate a large portion of validation and description handling, which makes the subsystem less error prone and quicker to develop.
h3. Learn from the EE, EJB, and Messaging Subsystems
These subsystems are considered "good" followers of the conventions. Keep in mind though that Messaging existed before SimpleResourceDefinition, and *AttributeDefinition, so many resources in Messaging have not been converted to using SimpleResourceDefinition. So prefer following EE and EJB. Messaging is, however, a great example for solving more advanced complexities in a large subsystem (e.g. dynamic runtime resources)
--------------------------------------------------------------
Comment by going to Community
[http://community.jboss.org/docs/DOC-17346]
Create a new document in JBoss AS7 Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=102&co...]
12 years, 6 months
[JBoss AS7 Development] - Subsystem Development Conventions
by Jason Greene
Jason Greene [http://community.jboss.org/people/jason.greene] modified the document:
"Subsystem Development Conventions"
To view the document, visit: http://community.jboss.org/docs/DOC-17346
--------------------------------------------------------------
There are a number of common problems that a subsystem developer will run into. This document is an attempt to convey the best recommended practices and common conventions that other subsystems follow. Following these will make it easier for UI tools to be developed since everything works according to a similar set of rules.
h3. Use Resources Over Complex Attributes
It is much easier for UI tools to handle a small set of simple operations (add/remove/write) with simple attributes than it is to handle a monolothic resource with complex nested attributes. It also offers more flexibility in runtime updates. For example, it may be possible to increase the max thread size of a pool without restarting and replacing the entire pool. The rule of thumb is to keep creating resources until you hit primitives.
There is of course exceptions. For example,If the configuration contains an ordered list of which there is no unique name, a resource does not fit well. In this case a complex list type is unavoidable. However in such a scenario a set of "helper" operations should be created (e.g. add-foo).
In some cases it may not be clear how to model a nested child as a resource because it does not have a key->value name which is required. When this happens, you will need to come up with a new naming convention that fits the key/value model yet is still based on the original notion. For example a subsystem that has a foo, and a foo-expanded can change those names to be something like foo=classic and foo=expanded.
h3. Make All Attributes Writable
Anything that can be edited in an xml file *MUST* be writable at runtime. It is possible, however, that modifying such a value can not be done "hot" at runtime, in which case forcing the server to reload or restart is the appropriate action (See ReloadRequiredWriteAttributeHandler)
h3. Make ADD Smart, Don't Expose "Activate" Operations
The common problem is that during boot, or during a composite operation, the parent ADD happens BEFORE a child node ADD. Therefore it's runtime handler is called first. The proper way to deal with this situation is to have the parent add operation add a new "step" runtime handler to make the actual changes. This step will automatically run after all of the ones before it (the children), and so it will be able to read the various child resources that are needed.
h3. Use SimpleResourceDefinition and *AttributeDefinition
These automate a large portion of validation and description handling, which makes the subsystem less error prone and quicker to develop.
h3. Learn from the EE, EJB, and Messaging Subsystems
These subsystems are considered "good" followers of the conventions. Keep in mind though that Messaging existed before SimpleResourceDefinition, and *AttributeDefinition, so many resources in Messaging have not been converted to using SimpleResourceDefinition. So prefer following EE and EJB. Messaging is, however, a great example for solving more advanced complexities in a large subsystem (e.g. dynamic runtime resources)
--------------------------------------------------------------
Comment by going to Community
[http://community.jboss.org/docs/DOC-17346]
Create a new document in JBoss AS7 Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=102&co...]
12 years, 6 months
[JBoss AS7 Development] - Subsystem Development Conventions
by Jason Greene
Jason Greene [http://community.jboss.org/people/jason.greene] created the document:
"Subsystem Development Conventions"
To view the document, visit: http://community.jboss.org/docs/DOC-17346
--------------------------------------------------------------
There are a number of common problems that a subsystem developer will run into. This document is an attempt to convey the best recommended practices and common conventions that other subsystems follow. Following these will make it easier for UI tools to be developed since everything works according to a similar set of rules.
h3. Use Resources Over Complex Attributes
It is much easier for UI tools to handle a small set of simple operations (add/remove/write) with simple attributes than it is to handle a monolothic resource with complex nested attributes. It also offers more flexibility in runtime updates. For example, it may be possible to increase the max thread size of a pool without restarting and replacing the entire pool. The rule of thumb is to keep creating resources until you hit primitives.
There is of course exceptions. For example,If the configuration contains an ordered list of which there is no unique name, a resource does not fit well. In this case a complex list type is unavoidable. However in such a scenario a set of "helper" operations should be created (e.g. add-foo).
In some cases it may not be clear how to model a nested child as a resource because it does not have a key->value name which is required. When this happens, you will need to come up with a new naming convention that fits the key/value model yet is still based on the original notion. For example a subsystem that has a foo, and a foo-expanded can change those names to be something like foo=classic and foo=expanded.
h3. Make All Attributes Writable
Anything that can be edited in an xml file *MUST* be writable at runtime. It is possible, however, that modifying such a value can not be done "hot" at runtime, in which case forcing the server to reload or restart is the appropriate action (See ReloadRequiredWriteAttributeHandler)
h3. Make ADD Smart, Don't Expose "Activate" Operations
The common problem is that during boot, or during a composite operation, the parent ADD happens BEFORE a child node ADD. Therefore it's runtime handler is called first. The proper way to deal with this situation is to have the parent add operation add a new "step" runtime handler to make the actual changes. This step will automatically run after all of the ones before it (the children), and so it will be able to read the various child resources that are needed.
h3. Use SimpleResourceDefinition and *AttrributeDefinition
These automate a large portion of validation and description handling, which makes the subsystem less error prone and quicker to develop.
--------------------------------------------------------------
Comment by going to Community
[http://community.jboss.org/docs/DOC-17346]
Create a new document in JBoss AS7 Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=102&co...]
12 years, 6 months
[JBoss AS7 Development] - JBoss HornetQ jms exception
by Bharat Savanur
Bharat Savanur [http://community.jboss.org/people/bharat.savanur] created the discussion
"JBoss HornetQ jms exception"
To view the discussion, visit: http://community.jboss.org/message/630220#630220
--------------------------------------------------------------
Hi All,
I am facing a problem in HornetQ jms. The queues and the topics are configured using spring jndi template.
When i start the server the queues are binded and everything works fine.
But the requirement is when the server starts up, we send a message to an MDB configured on the same server
with the server information specific to our application. When i try to do this, it gives me an error saying
jms exception occured while processing the message. The complete stack trace is given below :
ERROR [*MessageListenerAdapter*] (Thread-20 (group:HornetQ-client-global-threads-1688591)) Error happened when processing message: javax.jms.JMSException: *ServerInfo* from [Module "org.hornetq:main" from local module loader @4aeb52 (roots: D:\Servers_New\new 7.2 server\jboss-as-7.0.2.Final\modules)]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:191)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:361)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:333)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:310)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:103)
at java.lang.Class.forName0(Native Method) [:1.6.0_18]
at java.lang.Class.forName(Class.java:247) [:1.6.0_18]
at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:604) [:1.6.0_18]
at org.hornetq.utils.ObjectInputStreamWithClassLoader.resolveClass(ObjectInputStreamWithClassLoader.java:71) [hornetq-core-2.2.7.Final.jar:]
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1575) [:1.6.0_18]
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1496) [:1.6.0_18]
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1732) [:1.6.0_18]
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329) [:1.6.0_18]
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351) [:1.6.0_18]
at org.hornetq.jms.client.HornetQObjectMessage.getObject(HornetQObjectMessage.java:158) [hornetq-jms-2.2.7.Final.jar:]
at *ControlMessageUtil*.process(ControlMessageUtil.java:24)
at *MessageListenerAdapter*.onMessage(MessageListenerAdapter.java:53)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:510)
at org.springframework.jms.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:445)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:414)
at org.springframework.jms.listener.AbstractMessageListenerContainer.executeListener(AbstractMessageListenerContainer.java:386)
at org.springframework.jms.listener.SimpleMessageListenerContainer$2.onMessage(SimpleMessageListenerContainer.java:205)
at org.hornetq.jms.client.JMSMessageListenerWrapper.onMessage(JMSMessageListenerWrapper.java:91) [hornetq-jms-2.2.7.Final.jar:]
at org.hornetq.core.client.impl.ClientConsumerImpl.callOnMessage(ClientConsumerImpl.java:866) [hornetq-core-2.2.7.Final.jar:]
at org.hornetq.core.client.impl.ClientConsumerImpl.access$100(ClientConsumerImpl.java:44) [hornetq-core-2.2.7.Final.jar:]
at org.hornetq.core.client.impl.ClientConsumerImpl$Runner.run(ClientConsumerImpl.java:983) [hornetq-core-2.2.7.Final.jar:]
at org.hornetq.utils.OrderedExecutorFactory$OrderedExecutor$1.run(OrderedExecutorFactory.java:100) [hornetq-core-2.2.7.Final.jar:]
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_18]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_18]
at java.lang.Thread.run(Thread.java:619) [:1.6.0_18]
It would be great if to know if this a class loading issue or something else. An answer would be lot of helpful.
Thanks and Regards,
Bharat Savanur
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/630220#630220]
Start a new discussion in JBoss AS7 Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
12 years, 6 months