Red Hat Training
A Red Hat training course is available for Red Hat JBoss Enterprise Application Platform
7.9. Use an Encrypted Sensitive String in Configuration
Any sensitive string which has been encrypted can be used in a configuration file or Management CLI command in its masked form, providing expressions are allowed.
To confirm if expressions are allowed within a particular subsystem, run the following Management CLI command against that subsystem.
Note
Add the prefix
/host=HOST_NAME
to the command for a managed domain.
/core-service=SUBSYSTEM:read-resource-description(recursive=true)
Example 7.8. List the Description of all Resources in the Management Subsystem
/core-service=management:read-resource-description(recursive=true)
From the output of running this command, look for the value of the
expressions-allowed
parameter. If this is true
, then you can use expressions within the configuration of this subsystem.
Use the following syntax to replace any plaintext string with the masked form.
${VAULT::VAULT_BLOCK::ATTRIBUTE_NAME::MASKED_STRING}
Example 7.9. Datasource Definition Using a Password in Masked Form
In this example the vault block is
ds_ExampleDS
and the attribute is password
.
... <subsystem xmlns="urn:jboss:domain:datasources:1.0"> <datasources> <datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS"> <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url> <driver>h2</driver> <pool></pool> <security> <user-name>sa</user-name> <password>${VAULT::ds_ExampleDS::password::1}</password> </security> </datasource> <drivers> <driver name="h2" module="com.h2database.h2"> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class> </driver> </drivers> </datasources> </subsystem> ...