[JBoss AS 7 Development] - JBoss Passwords - not secure, but recommended
by mentallurg
mentallurg [https://community.jboss.org/people/mentallurg] modified the document:
"JBoss Passwords - not secure, but recommended"
To view the document, visit: https://community.jboss.org/docs/DOC-48166
--------------------------------------------------------------
Following article describes how the passwords in JBoss can be secured:
https://community.jboss.org/docs/DOC-17248 https://community.jboss.org/wiki/JBossAS7SecuringPasswords
The key point is however missing there: What benefits it gives?
*It is not secure! But why it is still recommended?*
We should clearly understand, that the eventual level of security provided by JBoss vault is absolutely the same as in case of plain text passwords. First we will consider why (because it may be not obvious). Then we will see why in spite of this there are some benefits.
* h5. What is the purpose of the JBoss vault?
* The purpose is to prevent easy revealing of passwords used in JBoss configuration files. Actually not only passwords, but any sensitive data
* h5. Why is it not secure?
* JBoss needs to be able to restore passwords without user input. If JBoss asked user for password each time it starts, it would be secure, but not maintainable. It would be impossible to guarantie high availability of servers
* It means JBoss should be able to restore passwords based only on resources available on server, i.e. vault and key store
* If somebody obtains access to these files on server, he can easily restore encrypted passwords, even without knowing any secret information
* Don't believe? See decryptor in the attachment. Start the application and provide the data that you used in the <vault> section of JBoss config
* h5. But what's the reason to use it then?
* h6. Without vault
* Configuration of your application changes time to time. Sometimes you wish to restore the state that was "10 changes before" the current. That's why you wish to keep track of all changes. Where do you keep all previous versions? In an archive with a secret password? Or in some secret repository? Not bad
* Then what you do if developers request your configs to analyze some problem? Do you thoroughly check the configs and remove all passwords before sending files to devs? Have you replaced all passwords? In all files you send? Ahh, OK, you use scripts. But are you sure you have adjusted the scripts after one more datasource was added last month? OK, you've done it
* Are you sure it was on this environment, for this staging server? Not different config structure for another branch or stage?
* Are you sure each time? Of course this can work. But what is the price? How much headake do you have each time?
* h6. With vault
* All passwords in your configs are encrypted
* You replace the original passwords in configs only once and dont't care any more
* You can share the configs with devs
* You can keep all versions of configs in a normal non-secret repository (svn, git). Many people can access them (your devs, ops, admins, customer, your repo hoster like github or bitbucket) without compromising security
* You "disclose" your configs AS IS. No need to remove passwords. No need to warry each time if you have have overlooked any sensitive info
* You can automate backing up of all configs without compromising security
* The only thing you should care about is the key store. You should keep it apart from your configs. But it is much easier. It is just a single file
* h6. Idea
* Basically we split the secret. One part is stored in config file. It is public. Another part is the key store. Keep it secretly. Of course, everyone who has access to the key store on your server can restore all the encrypted secrets. But you avoid the headake with maintenance of your configs
* h5. Alternatives
* If you have a non-JEE application, e.g. based on Spring, you may want to use Jasypt. But the level of security remains the same as with plain text passwords and the same as with vault. It is only kind of mirror to the vault approach:* In the vault case the password (for the key store) is public. It is masked, but actually is public. The actual secret is being kept on server (the key store)
* In the case of Jasypt the public part (configs) is encrypted and cannot be restored without a password. The secret is the password used to decrypt the configs. And this secret is being kept on server (e.g. as an environment variable in a JBoss start script)
* In both cases configs can be made public and maintained easily, without compromising security
* In both cases if someone has access to the server, the secrets can be decrypted without much affort
*Conclusion*
With vault you don't get more security. There is no magic. But you get easily maintanable configs, that can be disclosed without any risks.
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/docs/DOC-48166]
Create a new document in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&c...]
11 years, 3 months
[JBoss AS 7 Development] - JBoss AS7 Securing Passwords
by mentallurg
mentallurg [https://community.jboss.org/people/mentallurg] modified the document:
"JBoss AS7 Securing Passwords"
To view the document, visit: https://community.jboss.org/docs/DOC-17248
--------------------------------------------------------------
This article will describe the capabilities available in JBoss AS7.1 with regard to securing sensitive attributes such as passwords.
h2. Disclaimer:
The default implementation described in this article only solves the problem of masking clear text passwords. There is always a weak link (in this case, the keystore password).
For windows platform, refer to https://community.jboss.org/docs/DOC-17763 https://community.jboss.org/wiki/AS7PasswordVaultOnWindows
**
#Disclaimer Disclaimer:
**
#What_is_needed What is needed?
**
#Process Process
***
#Step_1_Create_a_Java_KeyStore Step 1: Create a Java KeyStore
***
#Step_2_Use_the_Vault_Tool_scripts_to_store_a_password_in_the_vault Step 2: Use the Vault Tool scripts to store a password in the vault
***
#Step_3_Configure_the_attributes_in_your_xml_such_as_standalonexml_and_hostxml Step 3: Configure the attributes in your xml such as standalone.xml and host.xml
**
#Guidance_for_subsystems_seeking_passwords_in_AS7 Guidance for subsystems seeking passwords in AS7
**
#Frequently_Asked_Questions Frequently Asked Questions:
*****
#How_secure_is_this How secure is this?
*****
#Can_I_really_secure_the_keystore Can I really secure the keystore?
*****
#How_do_I_get_foolproof_security_for_passwords How do I get foolproof security for passwords?
*****
#I_lost_the_vault_formatted_string_for_my_attribute I lost the vault formatted string for my attribute?
*****
#Can_I_do_all_this_from_the_UI Can I do all this from the UI?
*****
#Show_me_how_to_do_this_on_Windows Show me how to do this on Windows.
*****
#Please_give_me_an_example Please give me an example.
h2. What is needed?
1. Java KeyStore.
2. Scripts provided in the bin directory of JBoss AS 7 .1 (vault.sh etc)
h2.
h2. Process
h3.
h3. Step 1: Create a Java KeyStore
$ keytool -genkey -alias vault -keyalg RSA -keysize 1024 -keystore vault.keystore
Enter keystore password: vault22
Re-enter new password:vault22
What is your first and last name?
[Unknown]: Picketbox vault
What is the name of your organizational unit?
[Unknown]: picketbox
What is the name of your organization?
[Unknown]: JBoss
What is the name of your City or Locality?
[Unknown]: chicago
What is the name of your State or Province?
[Unknown]: il
What is the two-letter country code for this unit?
[Unknown]: us
Is CN=Picketbox vault, OU=picketbox, O=JBoss, L=chicago, ST=il, C=us correct?
[no]: yes
Enter key password for <vault>
(RETURN if same as keystore password):
It is important to keep track of the keystore password and the alias. In this example, the keystore password is "vault22" and the alias is "vault".
h3. Step 2: Use the Vault Tool scripts to store a password in the vault
/bin/util$ ./vault.sh
=========================================================================
JBoss Vault
JBOSS_HOME: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT
JAVA: /opt/java/jdk1.6.0_23/bin/java
VAULT Classpath: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/picketbox/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/logging/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/common-core/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/as/security/main/*
=========================================================================
**********************************
**** JBoss Vault ********
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/
Enter Keystore URL:/home/anil/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):50
Please make note of the following:
********************************************
Masked Password:MASK-5WNXs8oEbrs
salt:12345678
Iteration Count:50
********************************************
Enter Keystore Alias:vault
Sep 28, 2011 11:48:39 AM org.jboss.security.vault.SecurityVaultFactory get
INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Intializing Vault
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
0
Task: Store a password
Please enter attribute value:
Please enter attribute value again:
Values match
Enter Vault Block:ds_ExampleDS
Enter Attribute Name:password
Attribute Value for (ds_ExampleDS, password) saved
Please make note of the following:
********************************************
Vault Block:ds_ExampleDS
Attribute Name:password
Shared Key:N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
Configuration should be done as follows:
VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
********************************************
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
2
h3. Step 3: Configure the attributes in your xml such as standalone.xml and host.xml
h3.
<server xmlns="urn:jboss:domain:1.1">
<extensions>
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/anil/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12438567"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="${user.home}/vault/"/>
</vault>
...
<subsystem xmlns="urn:jboss:domain:datasources:1.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
<driver>h2</driver>
<pool></pool>
<security>
<user-name>sa</user-name>
<password>${VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
Note previously, the datasource password would have been:
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
h2.
h2. Guidance for subsystems seeking passwords in AS7
The server module in JBoss AS7 workspace has a class called as VaultUtil which has methods for you to seamlessly pass the vault formatted string to get the password from the vault.
I am posting the integration done in org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService
Note that do not seek the password from the vault during the xml parsing phase because the vault has not been initialized and ready. It has to be done in the services phase when you actually do something with the configured elements of your subsystem.
In the case of JCA datasource integration, we do it in AbstractDataSourceService
import org.jboss.as.server.services.security.VaultUtil;
import org.jboss.security.vault.SecurityVaultException;
final DsSecurity security = dataSourceConfig.getSecurity();
if (security != null) {
if (security.getUserName() != null) {
managedConnectionFactory.setUserName(security.getUserName());
}
if (security.getPassword() != null) {
String password = security.getPassword();
if (VaultUtil.isVaultFormat(password)) {
try {
password = VaultUtil.getValueAsString(password);
} catch (SecurityVaultException e) {
throw new RuntimeException(e); // TODO: use bundle from IJ
}
}
managedConnectionFactory.setPassword(password);
}
}
We do not want to make the configuration of the vault formatted string to be very difficult. As long as the formatted string is prefixed with VAULT::, the vault will be invoked. Custom implementations of the vault should consider the last token for any configuration.
If you are using the AttributeDefinition classes the vaulted expression will be automatically resolved when calling AttributeDefiniton.resolveModelAttribute(). If you are not using AttributeDefinition you need to call OperationContext.resolveExpression() yourself as this example from DataSourceModelNodeUtil
> ...
> *final* String password = +getResolvedStringIfSetOrGetDefault+(operationContext, dataSourceNode, +PASSWORD+, *null*);
> ...
>
> *private* *static* String getResolvedStringIfSetOrGetDefault(*final* OperationContext context, *final* ModelNode dataSourceNode, *final* SimpleAttributeDefinition key, *final* String defaultValue) {
> *if* (dataSourceNode.hasDefined(key.getName())) {
> *return* context.resolveExpressions(dataSourceNode.get(key.getName())).asString();
> } *else* {
> *return* defaultValue;
> }
> }
>
h2.
h2. Frequently Asked Questions:
* h5. How secure is this?
* The default implementation of the vault utlizes a Java KeyStore. Its configuration uses Password Based Encryption, which is security by obscurity. This is not 100% security. It only gets away from the problem of clear text passwords in configuration files. There is always a weak link. (+*As mentallurg suggests in the comments, the keystore password is the weakest link*+).
* Ideally, 3rd party ISV robust implementations of Vaults should provide the necessary security.
* h5. Can I really secure the keystore?
* You can store the keystore on an USB or an encrypted secure usb or such.
* When the server starts, insert the USB. On successful start, you can remove the USB.
* Ideally, use a FIPS 140-2 certified keystore from a keystore vendor if you want foolproof security.
* h5. How do I get foolproof security for passwords?
* The default implementation of Vault in JBossAS7 is not 100% secure.
* You can increase level of security by adopting a FIPS 140-2 certified keystore.
* You can use 3rd party implementations of the Vault (this is something we are pushing for ISVs to do).
* h5. I lost the vault formatted string for my attribute?
* Just reinsert the attribute value in the vault to overrwrite what was previously stored. You will get a new formatted string to insert in the xml.
* h5. Can I do all this from the UI?
* Hopefully with time, we can get this integrated into the console.
* h5. *Show me how to do this on Windows.*
* https://community.jboss.org/docs/DOC-17763 https://community.jboss.org/wiki/AS7PasswordVaultOnWindows
* h5. Please give me an example.
* https://community.jboss.org/docs/DOC-17472 https://community.jboss.org/wiki/AS7UtilisingMaskedPasswordsViaTheVault
* https://community.jboss.org/docs/DOC-17503 https://community.jboss.org/docs/DOC-17503
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/docs/DOC-17248]
Create a new document in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&c...]
11 years, 3 months
[JBoss AS 7 Development] - JBoss AS7 Securing Passwords
by mentallurg
mentallurg [https://community.jboss.org/people/mentallurg] modified the document:
"JBoss AS7 Securing Passwords"
To view the document, visit: https://community.jboss.org/docs/DOC-17248
--------------------------------------------------------------
This article will describe the capabilities available in JBoss AS7.1 with regard to securing sensitive attributes such as passwords.
h2. Disclaimer:
The default implementation described in this article only solves the problem of masking clear text passwords. There is always a weak link (in this case, the keystore password).
For windows platform, refer to https://community.jboss.org/docs/DOC-17763 https://community.jboss.org/wiki/AS7PasswordVaultOnWindows
**
#Disclaimer Disclaimer:
**
#What_is_needed What is needed?
**
#Process Process
***
#Step_1_Create_a_Java_KeyStore Step 1: Create a Java KeyStore
***
#Step_2_Use_the_Vault_Tool_scripts_to_store_a_password_in_the_vault Step 2: Use the Vault Tool scripts to store a password in the vault
***
#Step_3_Configure_the_attributes_in_your_xml_such_as_standalonexml_and_hostxml Step 3: Configure the attributes in your xml such as standalone.xml and host.xml
**
#Guidance_for_subsystems_seeking_passwords_in_AS7 Guidance for subsystems seeking passwords in AS7
**
#Frequently_Asked_Questions Frequently Asked Questions:
*****
#How_secure_is_this How secure is this?
*****
#Can_I_really_secure_the_keystore Can I really secure the keystore?
*****
#How_do_I_get_foolproof_security_for_passwords How do I get foolproof security for passwords?
*****
#Why_should_I_use_it Why should I use it?
*****
#I_lost_the_vault_formatted_string_for_my_attribute I lost the vault formatted string for my attribute?
*****
#Can_I_do_all_this_from_the_UI Can I do all this from the UI?
*****
#Show_me_how_to_do_this_on_Windows Show me how to do this on Windows.
*****
#Please_give_me_an_example Please give me an example.
h2. What is needed?
1. Java KeyStore.
2. Scripts provided in the bin directory of JBoss AS 7 .1 (vault.sh etc)
h2.
h2. Process
h3.
h3. Step 1: Create a Java KeyStore
$ keytool -genkey -alias vault -keyalg RSA -keysize 1024 -keystore vault.keystore
Enter keystore password: vault22
Re-enter new password:vault22
What is your first and last name?
[Unknown]: Picketbox vault
What is the name of your organizational unit?
[Unknown]: picketbox
What is the name of your organization?
[Unknown]: JBoss
What is the name of your City or Locality?
[Unknown]: chicago
What is the name of your State or Province?
[Unknown]: il
What is the two-letter country code for this unit?
[Unknown]: us
Is CN=Picketbox vault, OU=picketbox, O=JBoss, L=chicago, ST=il, C=us correct?
[no]: yes
Enter key password for <vault>
(RETURN if same as keystore password):
It is important to keep track of the keystore password and the alias. In this example, the keystore password is "vault22" and the alias is "vault".
h3. Step 2: Use the Vault Tool scripts to store a password in the vault
/bin/util$ ./vault.sh
=========================================================================
JBoss Vault
JBOSS_HOME: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT
JAVA: /opt/java/jdk1.6.0_23/bin/java
VAULT Classpath: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/picketbox/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/logging/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/common-core/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Alpha2-SNAPSHOT/modules/org/jboss/as/security/main/*
=========================================================================
**********************************
**** JBoss Vault ********
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/
Enter Keystore URL:/home/anil/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):50
Please make note of the following:
********************************************
Masked Password:MASK-5WNXs8oEbrs
salt:12345678
Iteration Count:50
********************************************
Enter Keystore Alias:vault
Sep 28, 2011 11:48:39 AM org.jboss.security.vault.SecurityVaultFactory get
INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Intializing Vault
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
0
Task: Store a password
Please enter attribute value:
Please enter attribute value again:
Values match
Enter Vault Block:ds_ExampleDS
Enter Attribute Name:password
Attribute Value for (ds_ExampleDS, password) saved
Please make note of the following:
********************************************
Vault Block:ds_ExampleDS
Attribute Name:password
Shared Key:N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
Configuration should be done as follows:
VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0
********************************************
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
2
h3. Step 3: Configure the attributes in your xml such as standalone.xml and host.xml
h3.
<server xmlns="urn:jboss:domain:1.1">
<extensions>
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/anil/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12438567"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="${user.home}/vault/"/>
</vault>
...
<subsystem xmlns="urn:jboss:domain:datasources:1.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
<driver>h2</driver>
<pool></pool>
<security>
<user-name>sa</user-name>
<password>${VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
Note previously, the datasource password would have been:
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
h2.
h2. Guidance for subsystems seeking passwords in AS7
The server module in JBoss AS7 workspace has a class called as VaultUtil which has methods for you to seamlessly pass the vault formatted string to get the password from the vault.
I am posting the integration done in org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService
Note that do not seek the password from the vault during the xml parsing phase because the vault has not been initialized and ready. It has to be done in the services phase when you actually do something with the configured elements of your subsystem.
In the case of JCA datasource integration, we do it in AbstractDataSourceService
import org.jboss.as.server.services.security.VaultUtil;
import org.jboss.security.vault.SecurityVaultException;
final DsSecurity security = dataSourceConfig.getSecurity();
if (security != null) {
if (security.getUserName() != null) {
managedConnectionFactory.setUserName(security.getUserName());
}
if (security.getPassword() != null) {
String password = security.getPassword();
if (VaultUtil.isVaultFormat(password)) {
try {
password = VaultUtil.getValueAsString(password);
} catch (SecurityVaultException e) {
throw new RuntimeException(e); // TODO: use bundle from IJ
}
}
managedConnectionFactory.setPassword(password);
}
}
We do not want to make the configuration of the vault formatted string to be very difficult. As long as the formatted string is prefixed with VAULT::, the vault will be invoked. Custom implementations of the vault should consider the last token for any configuration.
If you are using the AttributeDefinition classes the vaulted expression will be automatically resolved when calling AttributeDefiniton.resolveModelAttribute(). If you are not using AttributeDefinition you need to call OperationContext.resolveExpression() yourself as this example from DataSourceModelNodeUtil
> ...
> *final* String password = +getResolvedStringIfSetOrGetDefault+(operationContext, dataSourceNode, +PASSWORD+, *null*);
> ...
>
> *private* *static* String getResolvedStringIfSetOrGetDefault(*final* OperationContext context, *final* ModelNode dataSourceNode, *final* SimpleAttributeDefinition key, *final* String defaultValue) {
> *if* (dataSourceNode.hasDefined(key.getName())) {
> *return* context.resolveExpressions(dataSourceNode.get(key.getName())).asString();
> } *else* {
> *return* defaultValue;
> }
> }
>
h2.
h2. Frequently Asked Questions:
* h5. How secure is this?
* The default implementation of the vault utlizes a Java KeyStore. Its configuration uses Password Based Encryption, which is security by obscurity. This is not 100% security. It only gets away from the problem of clear text passwords in configuration files. There is always a weak link. (+*As mentallurg suggests in the comments, the keystore password is the weakest link*+).
* Ideally, 3rd party ISV robust implementations of Vaults should provide the necessary security.
* h5. Can I really secure the keystore?
* You can store the keystore on an USB or an encrypted secure usb or such.
* When the server starts, insert the USB. On successful start, you can remove the USB.
* Ideally, use a FIPS 140-2 certified keystore from a keystore vendor if you want foolproof security.
* h5. How do I get foolproof security for passwords?
* The default implementation of Vault in JBossAS7 is not 100% secure.
* You can increase level of security by adopting a FIPS 140-2 certified keystore.
* You can use 3rd party implementations of the Vault (this is something we are pushing for ISVs to do).
* h5. Why should I use it?
* There is no magic. The level of security is exactly the same as with plain text passwords
* What's the reason to use it?
* If you
*
* 111
* h5. I lost the vault formatted string for my attribute?
* Just reinsert the attribute value in the vault to overrwrite what was previously stored. You will get a new formatted string to insert in the xml.
* h5. Can I do all this from the UI?
* Hopefully with time, we can get this integrated into the console.
* h5. *Show me how to do this on Windows.*
* https://community.jboss.org/docs/DOC-17763 https://community.jboss.org/wiki/AS7PasswordVaultOnWindows
* h5. Please give me an example.
* https://community.jboss.org/docs/DOC-17472 https://community.jboss.org/wiki/AS7UtilisingMaskedPasswordsViaTheVault
* https://community.jboss.org/docs/DOC-17503 https://community.jboss.org/docs/DOC-17503
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/docs/DOC-17248]
Create a new document in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&c...]
11 years, 3 months