Technical Stuff

Start from basics

Jboss Vault Step by Step Guide

Jboss Vault Step by Step Guide
Jboss Vault Step by Step Guide
5 (100%) 3 votes

Hello Everyone! Today we are going to discuss regarding Jboss vault. Directly going on to practical steps, Lets first understand, what is vault.

Let’s begin.

 

What is Jboss Vault?

Jboss vault are a Redhat encryption mechanism that allows to convert plaintext passwords to be encrypted. Jboss vault stores the passwords in an AES-256 encrypted KeyStore and in the standalone.xml. Jboss vault are actually use to encrypt the plaintext data source to AES-256 for security purpose.

Prepare the Jboss JVM

You must have unlimited cryptographic extensions configured in the JVM before proceeding or the vault will not work.

Where to put Jboss vault?

The vault is enabled by adding the appropriate information to the standalone.xml between extensions and management block or parameter.

What data is required to put in standalone.xml?

There are 4 things to be putten in standalone.xml

  1. Vault Block.
  2. Connection URL
  3. Username (Schema Name)
  4. Password (Schema Password)
  5. JNDI Name

What is the Format of Encryption?

${vault::jndiName::attributeName::Value::1}

Example:

${VAULT::quote::connection-url::1}

${VAULT::quote::password::1}

${VAULT::quote::username::1}

 

Quote – JNDI Name

Rest we must paste in required field, i.e. Connection URL, Username and Password.

 

Now, Lets begin with the password vault step by step guide

Step1: Go to Jboss vault directory

Path: /apps/vaultmgr/vaults

Path may vary as per your installation.

 

Step2: Create a folder with your server name and copy the vault content.

folder should contain default files while includes add-entry, make-vault, remove-entry, verify-entry, keystore-data.sh

 

Step3: Open Keystore-data.sh in that add below parameter. In below Example, I have created folder as as0066.

You can generate encryption password using any password generator software.

KEYSTORE_URL=/apps/vaultmgr/vaults/as0066/vault/as0066.vault

KEYSTORE_PASSWORD=9wTNNOnuIJ333f6NQhjdvFtNGt6CE7DKUxpq

KEYSTORE_ALIAS=as0066

SALT=sA90r59y

ENC_FILE_DIR=/apps/vaultmgr/vaults/as0066/vault/

ITERATION_COUNT=256

 

KeyStore URL – set this to the folder and filename of the keystore your creating.

KeyStore Password – Set this to a very strong password but use the following rules:

No spaces are allowed

No $, ‘, “, {}, [], or “\” as they can interfere with the script processing and end up with an unintended result.

Use 36 characters.

KeyStore alias:  set this to be the same as the filename without the extension.

SALT:  choose random 8 characters (MUST BE EXACTLY 8), do not use special characters or spaces.

ENC_FILE_DIR:  this is the location of the vault will be created in.  it must end with a slash.

Step4: Now, run the below command.

Command: ./make-vault

This command will create vault file using your folder name. As, I have created folder name as as0066. File will be created with name as0066.vault in location /apps/vaultmgr/vaults/as0066/vault

 

Step5: Now add entry of connection-url, username and password in password vault

Location: /apps/vaultmgr/vaults/as0066

./add-entry ‘JNDI NAME ’connection-url‘ connection-url of your standalone.xml

./add-entry ‘JNDI NAME ’username‘ username of your standalone.xml’

./add-entry ‘JNDI NAME ’password ‘password of your standalone.xml’

 

For Example:

JNDI – xysDS

Connection URL - jdbc:oracle:thin:@xyz.technicalstuff.in:1521:technicalstuff

Username – abcd
Password -[email protected]

./add-entry xysDS username abcd

./add-entry xysDS password [email protected]

./add-entry xysDS connection-url jdbc:oracle:thin:@xyz.technicalstuff.in:1521:technicalstuff

 

Using above command, we will get below output.

VAULT::xysDS::connection-url::1

VAULT::xysDS::username::1

VAULT::xysDS::password::1

 

Now, one more file is created i.e VAULT.dat In location /apps/vaultmgr/vaults/as0066/vault

 

Step7: Now copy the folder as0066 in /app/jboss

Note: You can copy in any location as per your choice.

Step8: Now replace username. Connection-url and password to newly generated output and also add vault block between management and extension and change the path as required.

 

Step9: Now, Restart the service and check the datasource running or not.

Command : ./jdbctest jboss-binding-mgmt-ip JNDI-name

For Example: ./jdbctest 127.0.0.1 xysDS

If you can the success, means vault is been successfully created. If you are getting any error, you can comment down below. In next blog I will be talking briefly about troubleshooting steps and issue in password vault.

Video - https://www.youtube.com/watch?v=5vZk6IIyW2c&t=35s

Do let me know, how you find the blog. Was it helpful to you? So, if you like the blog. Do subscribe to get notified…!!!

Thank You!
Happy Learning !!!

If you have doubt or queries, you can comment us or can mail us on [email protected]

If you have any Recommendation for future blog, you can email us on [email protected]

Follow Us on :

www.facebook.com/stufftechnical

www.instagram.com/technicalstuff.in

 

Top Searches:

  1. Top Linux Commands
  2. Introduction to linux.
  3. Websphere hack
  4. My Story – Jboss Hardening
  5. Installation and configuration of Apache 2.2 on Linux
  6. DB Auto Re-connect.
  7. Redirection in Jboss.
  8. SSL Implementation in Jboss
  9. Best SSL Guide.
  10. Types of SSL.
  11. Best Jboss Server Security Guide.
  12. Introduction to hardening in Middleware.
  13. Hardening In Jboss EAP 5.1
  14. Enable TLS1.2 in Jboss EAP 7

Leave a Reply

%d bloggers like this: