In my previous post on JBoss password encryption I showed how to encrypt passwords for services that make use of the Jboss microcontainer. These services are configured in files that end with the suffix *-jboss-beans.xml. As stated in that post JBoss has a tendency for inconsistency in its configuration files and service setup due to its migration away from the JMX Kernel to the Microcontainer and its historical use of custom XML files for some setups like data sources. All of these differences mean that password encryption or masking is not a simple one workflow fits all situation. This deals with JBoss 6. I have not started to look at JBoss 7 yet until it comes out of beta mode.
JBoss Data Source Password Masking
To encrypt a datasource password, rather than having it in plain text in your *-ds.xml file requires two steps:
- Create a JBoss security domain that can use hashed passwords,
- Configure the datasource to use the secruity domain created above instead of coding username and password parameters in the datasource.
1 Create a security domain
This involves two steps:
- Encrypting the password,
- Editing the login-config.xml to add the new security domain
1.1 Encrypting the password
As a first step you need to generated the encrypted password. JBoss proivdes a class to do this for you and the encrypted password can be obtained by running:
java -cp `./bin/classpath.sh --server` org.jboss.resource.security.SecureIdentityLoginModule mytopsecretpassword
1.2 Editing the login-config.xml
The easiest way to create a new security domain is to edit the <jboss-home>/server/<config>/conf/login-config.xml file. (It would be better if this was called the security-domains.xml file.). When creating a new security domain, which is wrapped in an <application-policy> tag, so many names for the same thing :(, you need to select the most appropriate implementation for your domain. In this case we need to use the SecureIdentityLoginModule. The xml snippet below explains it a lot better:
<login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
So you place the database username and password in the security domain "SecurePassword" using the SecureIdentityLoginModule. Save the file and you all done with creating the security domain. Make sure the file has the correct OS permissions as you don't want everyone to be able to read the file gaining access to the username and hashed password.
2 Configure the datasource to use the new security domain
Now remove the username and password that usually appear in the *-ds.xml file and add a reference to the new security domain. See below for a MySQL example:
<!-- REPLACED WITH security-domain BELOW