automate vault creation

Latest response

How to automate the creation of a password vault on Jboss eap 6.4.14?

The idea is to create a script that defines a standalone Jboss instance. Multiple standalone instances will be supported sharing a common Jboss eap installation. The script will define a ready to use instance so with a:

vault
ldap connection (using ssl/tls) for admin users
keystore
truststore

With eap 6.4.14 I noticed that a vault will only be created by setting an attribute/sec_attribute pair. The output is an xml string. It will be much more convenient to have the output as a cli command. does anyone already some scripts for this and is willing to share them?

Responses

Hi Paul,

Changing the output to a CLI command is on the radar for the JBoss EAP 7.x stream: https://issues.jboss.org/browse/JBEAP-5220

You could use a script to programatically convert the XML to a CLI command. The CLI command you would want is:

/core-service=vault:add( \
vault-options=[ \
("KEYSTORE_URL" => "PATH_TO_KEYSTORE"), \
("KEYSTORE_PASSWORD" => "MASKED_PASSWORD"), \
("KEYSTORE_ALIAS" => "ALIAS"), \
("SALT" => "SALT"), \
("ITERATION_COUNT" => "ITERATION_COUNT"), \
("ENC_FILE_DIR" => "ENC_FILE_DIR")])

See the JBoss EAP 'How To Configure Server Security' guide for more info on the CLI command to configure JBoss EAP to use the vault: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/how_to_configure_server_security/#three_configure_red_hat_jboss_enterprise_application_platform_6_to_use_the_password_vault

I did spend some time on this and wrote a small ugly script that does it. For the people interested:

idpasswd=Jsecret
trustpasswd=Jsecret
vaultdir=/path_to_instance/security
vaultxml=$vaultdir/xml_$$.tmp
vaultcli=$vaultdir/xml_$$.cli
salt=$(date +%d%H%M%S)
$JBOSS_HOME/bin/vault.sh -e $vaultdir/ -k $vaultdir/vault.keystore -p $keypass -v vault -s $salt -i 19 -b jks -a identity -x $idpasswd >/dev/null
$JBOSS_HOME/bin/vault.sh -e $vaultdir/ -k $vaultdir/vault.keystore -p $keypass -v vault -s $salt -i 19 -b jks -a truststore -x $trustpasswd | awk -F\" '/vault-option name=/ {print $2 "=" $4}' > $vaultxml

.  $vaultxml
echo -e "if (outcome == success) of  /core-service=vault:read-resource\n \
/core-service=vault:remove\n \
end-if" > $vaultcli

echo /core-service=vault:add\(vault-options=\[ \
\(\"KEYSTORE_URL\" =\> \"$KEYSTORE_URL\"\), \
\(\"KEYSTORE_PASSWORD\" =\> \"$KEYSTORE_PASSWORD\"\), \
\(\"KEYSTORE_ALIAS\" =\> \"$KEYSTORE_ALIAS\"\), \
\(\"SALT\" =\> \"$SALT\"\), \
\(\"ITERATION_COUNT\" =\> \"$ITERATION_COUNT\"\), \
\(\"ENC_FILE_DIR\" =\> \"$ENC_FILE_DIR\"\)\]\) >> $vaultcli
echo reload >> $vaultcli

$SCRIPTDIR/cli-$INSTANCE.sh $vaultcli
rm -f  $vaultxml  $vaultcli