It’s always a risk if you are storing plain-text passwords on the file system. A good system administratin practice is to make sure that passwords are always stored in encrypted form. By default JBoss EAP6 data source passwords are stored in plaintext inside standalone.xml/domain.xml.JBoss EAP6 uses picketbox security implementation for encrypting data source passwords.
In this post we will see step-by-step process to Encrypt Data Source Passwords in JBoss EAP6.
STEP1: Download the required packages for Installing.
Click here to download JBoss EAP6.4
Click here to download Mysql connector Jar
Click here to download JDK-1.8
I have extracted all the packages under /opt/ as shown below.
Now once the installation is done, let’s move to configuring data sources.
STEP2: Installing MySQL Driver & configuring Data Source
For installing MySql driver follow the below steps as shown below.
cd /opt/ mkdir -p /opt/jboss-eap-6.4/modules/com/mysql/main/ cp -rp mysql-connector-java-5.1.13-bin.jar /opt/jboss-eap-6.4/modules/com/mysql/main/
Define module.xml inside /opt/jboss-eap-6.4/modules/com/mysql/main/ with following content
vi /opt/jboss-eap-6.4/modules/com/mysql/main/module.xml
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.0" name="com.mysql">
<resources>
<resource-root path="mysql-connector-java-5.1.13-bin.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
</dependencies>
</module>
STEP3: Generate Encrypted Password using PicketBox & Configure Data Source.
Now we need to generate the encrypted password by using PicketBox class. In this step we will be supplying the DB user password which is used to connect to database. In my case, DB password is “SecretPass”.
Execute the below steps now
export JBOSS_HOME=/opt/jboss-eap-6.4
export CLASSPATH=${JBOSS_HOME}/modules/system/layers/base/org/picketbox/main/picketbox-4.1.1.Final-redhat-1.jar:${JBOSS_HOME}/modules/system/layers/base/org/jboss/logging/main/jboss-logging-3.1.4.GA-redhat-2.jar:$CLASSPATH
java org.picketbox.datasource.security.SecureIdentityLoginModule SecretPass
Encoded password: 13e0362237c93a9cda89f5b3da271521
Now we can configure the MySQL DataSource in standalone.xml as shown below
<datasource jndi-name="java:/testDB" pool-name="MySqlDS_Pool" enabled="true" jta="false" use-ccm="false">
<connection-url>
jdbc:mysql://localhost:3306/testDB
</connection-url>
<driver-class>
com.mysql.jdbc.Driver
</driver-class>
<driver>
mysql
</driver>
<security>
<security-domain>
encrypted-ds
</security-domain>
</security>
</datasource>
<drivers>
<driver name="mysql" module="com.mysql"/>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class></driver>
</drivers>
Next step is to Locate the Subsystem “urn:jboss:domain:security:1.2” & add the security-domain inside that.
<security-domain name="encrypted-ds" cache-type="default"> <authentication> <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag= "required"> <module-option name="username" value="dbUserOne"/> <module-option name="password" value="13e0362237c93a9cda89f5b3da271521"/> <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM, name=MySqlDS_Pool"/> </login-module> </authentication> </security-domain>
Once all the above steps are completed Start JBoss EAP6 using standalone.sh script located inside /opt/jboss-eap-6.4/bin/ & monitor the Log.
cd /opt/jboss-eap-6.4/bin/ ./standalone.sh
IF your configuration is correct, You should see the below output in JBoss logs which indicates that the MySQL Data Source was registered without any issues
02:55:21,486 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) JBAS010400: Bound data source [java:/testDB]
Server Living 
Thanks It’s perfect!!!
LikeLike