Mask passwords in standalone.xml for Wildfly 27
585 views
Skip to first unread message
Arkady Zelekman
Feb 19, 2023, 5:35:30 AM2/19/23
to WildFly
Hi, team
Till now we worked with Wildfly 23 and used VAULT mechanism to mask passwords in standalone.xml, for example:
<http-acceptor name="http-acceptor-throughput" http-listener="default">
.......
<param name="key-store-path" value="${jboss.server.base.dir}/conf/allot.keystore"/>
<param name="key-store-password" value="${VAULT::vb::password::1}"/>
</http-acceptor>
.......
<param name="key-store-path" value="${jboss.server.base.dir}/conf/allot.keystore"/>
<param name="key-store-password" value="${VAULT::vb::password::1}"/>
</http-acceptor>
We also read values from vault storage from our java code inside our business logic.
As far as I understood, vault mechanism was removed since Wildfly 25.
Which mechanisms for masking data I can use now ?
Thank you very much in advance,
Arkady
Darran Lofthouse
Feb 19, 2023, 5:47:28 AM2/19/23
to WildFly
Please see the following blog for information on the encrypted expression support we added https://wildfly-security.github.io/wildfly-elytron/blog/wildfly-encrypted-expressions/
Arkady Zelekman
Feb 19, 2023, 5:54:49 AM2/19/23
to Darran Lofthouse, WildFly
This link not relevant anymore ?
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/0f375942-f6a8-4e1f-bd73-3bcc917dff83n%40googlegroups.com.
Darran Lofthouse
Feb 19, 2023, 7:05:09 AM2/19/23
to WildFly
Yes it is still relevant but your question was about masked passwords, the new encrypted expression support is the closest to masked password support except instead of being obfuscated the values are encrypted using a key you control.
You can do the bulk convert to convert a vault to a credential store but you will only be able to use the values on resources that support a credential reference.
Arkady Zelekman
Feb 19, 2023, 7:23:05 AM2/19/23
to Darran Lofthouse, WildFly
Darran, thanks for the clear explanation.
Do you have a reference on how to read info from a credential store from custom code of java which runs on wildfly server ? We also need in our business logic.
Thanks,
Arkady
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/845498c8-8104-4d86-90ed-bafbea171626n%40googlegroups.com.
Lumír Návrat
Feb 20, 2023, 5:16:19 AM2/20/23
to WildFly
Hi in zip you have our solution that we are using in our application on WF26. I'm not sure now, but I think that I tried it on WF27 too.
It is using Crendential store and masked passwords
<custom-standalone>.xml means that it is your config file for WF. we have e.g. there this values related to location of credential store and configs
<system-properties>
<property name="permanent-configuration.dir" value="${jboss.home.dir}/../permanent-configuration"/>
</system-properties>
<paths>
<path name="permanent-configuration.dir" path="${permanent-configuration.dir}"/>
</paths>
<property name="permanent-configuration.dir" value="${jboss.home.dir}/../permanent-configuration"/>
</system-properties>
<paths>
<path name="permanent-configuration.dir" path="${permanent-configuration.dir}"/>
</paths>
credential-store.properties contains values like this (I ommit other @EnProperty key=value pairs):
credentialStoreAlgorithm=KeyStoreCredentialStore
keyStoreType=JCEKS
credentialStore=<path to store>
credentialStoreModelNodeName=<credential-store name defined in <custom-standalone>.xml>
host=localhost
managementPort=9990
keyStoreType=JCEKS
credentialStore=<path to store>
credentialStoreModelNodeName=<credential-store name defined in <custom-standalone>.xml>
host=localhost
managementPort=9990
Dne neděle 19. února 2023 v 13:23:05 UTC+1 uživatel Arkady Zelekman napsal:
Reply all
Reply to author
Forward
0 new messages