Jboss Password Encryption

[Minette Mccandrew]

Databaseconnections for the JBoss AS are defined in *-ds.xml data source files. These database connection details include clear text passwords. You can increase the security of your server by replacing clear text passwords in datasource files with encrypted passwords.

The class org.jboss.resource.security.SecureIdentityLoginModule can be used to both encrypt database passwords and to provide a decrypted version of the password when the data source configuration is required by the server. The SecureIdentityLoginModule uses a hard-coded password to encrypt/decrypt the data source password.

Each JBoss Application Server server profile has a conf/login-config.xml file, where application authentication policies are defined for that profile. To create a an application authentication policy for your encrypted password, add a new element to the element.

The org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule is a login module for statically defining a data source using an encrypted password. that has been encrypted by a JaasSecurityDomain. The base64 format of the data source password may be generated using the PBEUtils command:

Besides the VAULT, does JBOSS provide any other way to secure the ssl keystore password? I am looking for a way to use the custom security domain to do the password encryption for securing ssl keystore password, just like the way JBOSS provides for securing datasource password.

Thanks for response. I knew we could use VAULT to secure the ssl keysore password. But my question was besides VAULT, does Jboss provide other way such as using JAAS custom login module as a security domain to encrypt the keystore password? In this way, I could encrypt the keystore passwork by using my own cryto library.

Building a system where users can self register. Thought it would be nice to encrypt their passwords. Can use Sun's JCE to handle the encryption. But how to make this work with j_security_check? Is this finally a reason to drop j_security_check and do everything in JAAS?

Has anyone tried to do this? Any feedback would be appreciated - it seems like a common task.

Thanks all!

RB

Turns out that this is indeed trivial and can all be done in JavaScript. Basically I just had a "j_password_raw" field where the user entered text and before calling j_security_check, I encrypted the password with a one-way has h and put the result in the "real" j_password field. No need for JCE or even anything on the server.

Of course, this isn't really secure since I am not using SSL, but it does solve the problem of having passwords in cleartext in the database.

Enjoy,

RB

Hi Richard,

Why doing that hashing in the navigator when you can do it with java on the server ?

You still need a ssl protection, so for simplicity, the only field you need in your form is the password.

I've done it and save the digest in a user table for further authentication (in a very simple application).

It works fine.

Noel

Then there's no security at all! If someone listen to the connecion and get the parameters, he could use the already encrypted password to replay the login. The TCP connection itself isnt encrypted (as using SSL), and the password is still in plain text (although hashed by MD5).

There must be a way to make the connection though SSL...

The previous was about the MD5 at the client. About hashing the password in the server, it protects the password from the database administrator, because he wont see it in plain text, but wont prevent from anyone that captures the connection to read the password in plain text.

Again, we need SSL, although I dont know how exactly to do it... Maybe with the parameter CONFIDENTIAL at the descriptor?

Ronald: You are absolutely correct. This does nothing to prevent snoopers. It only provides security from someone browsing through the database - they won't be able to see the passwords there.

For over the wire security, SSL is needed and I think that CONFIDENTIAL is the way to go, but since I haven't configured SSL, I can't be absolutely sure.

My system is a "fun system" but I wanted to be able to tell users that I wouldn't be able to read the passwords that they entered - not that this was a secure system.

Enjoy,

RB

I've been trying to encrypt my database password using the SecureIdentityLoginModule and I can't seem to get it to work. Was wondering if anyone could point me in the right direction if things had changed for JBoss 6.0?

I know the username and password are correct. As the connection works perfectly if I hardcode the username and password into the datasource config. My suspicion is that the login-config.xml identity and oracle-ds config aren't being linked up properly. Is there anything else I need to do to enable this security functionality? When I register the datasource, the console spits out:

I've tried setting service=DataSourceBinding in my login-config managedConnectionFactoryName but that doesn't solve the error. Any help would be greatly appreciated. Let me know if you'd like me to post any more detailed information. Thanks!

So last night I tried the same configuration files (oracle-ds.xml and login-config.xml) against JBoss 4 and JBoss 5 and they worked fine. Is this a bug against JBoss 6? Or is there a different way to do this now?

I have the same issue - using jboss-6.0.0.20100216-M2. I have been researching this bug for the last two days trying to find anything in any forum about this type of problem. I have tried with both MySQL and PostgreSQL as dbs. In both cases, when I provide the username and password and no security domain, their is no issue. As soon as I provide a security domain, I get the following stack traces, depending on the action undertaken.

2) If I do not deploy anything but bring up the JBOSS AS admin console, and try to complete a test connection under Local Tx Datasources, I get the following type of error - this is for the MySQL datasource.

I did a quick check on this. And indeed in 6.0.0.M2 when the admin-console is used to "Test Connection" I see this WARN message being printed on the server console. However, the "Test Connection" result shows as successful. So I decided to keep out admin-console from the equation and tried a simple server side java code to test the getConnection:

Worked fine, with the datasource configured for encrypted password. So looks like it's the way the admin-console implements the "Test Connection" that might be the cause of the WARN messages. I haven't looked at the admin-console code yet, so can't say whether it's a bug in admin-console.

I just realized that the post I sent did not draw out the html properly for the Selected Operation History Item pane. For another person reading this thread, this may be confusing. In this pane, the results showed that

Yes, it is very confusing the first time as it took a number of times to look at it to actually see it :-) ... I kept trying to figure why it said I had success but it wasn't working ... then I realized it wasn't working as the result indicated that a connection was not obtained.

You seem to be using a keystore based login module JaasSecurityDomainIdentityLoginModule. When I try a similar application as the one you posted with a simple encryption based SecureIdentityLoginModule, it works fine. I haven't tried it with the keystore based one and am not sure whether there any changes/bugs in there.

Thank you all for the replies. I used SecureIdentityLoginModule against an Oracle database. It looks like me and Tim are seeing the exact same issue in that the user ID and password are not matched up with the datasource definition. They're supposed to get linked up through the tag, but I think that is the part of the functionality that is failing.

Access denied for user ' '@'localhost' (using password: NO)) against mySQL. And I get invalid username/password; logon denied against Oracle. Both errors indicate to me that a blank username/password combo is probably being sent to the database. There are two likely spots for the error. Either the login-config.xml isn't being properly loaded at start-up, or the tag isn't functioning correctly to match up to the login-config. Is there and easy way to verify those two things?

Like Robert, if you can point us in a direction to get a debug trace of the load of the login-config.xml that would be great. I believe this is where the problem lies because when I have the username/password in the *-ds.xml file, there is no issue.

Progress ... I can now get SecureIdentityLoginModule configuration working ... will come back to this in another post to show values ... but the logging TRACE changes have produced valuable feedback ...

Within WildFly in addition to specifying a clear text password to unlock the credential store anadministrator can configure the server to run an external command to obtain the password or theadministrator can MASK the password. The issue with the masked password support however is thisuses password based encryption using a well know password publicly available in open sourceprojects.

The encrypted expression support added to WildFly solves both of these problems. Firstly by addingsupport for loading SecretKey instances from the credential store including a new clear store.Secondly by adding support for values contained in the model to be encrypted and dynamicallydecrypted using the stored keys.

The first part of this blog post will illustrate the commands to get started with encryptedexpressions using an automatically generated SecretKey. The second part of this post willillustrate how an encrypted expression can be used to protect a second credential store which inturn will have a SecretKey added and enabled for use with expression encryption.

3a8082e126