16.2. Generate a key store and a masked password

Password masking uses a public/private key pair to encrypt passwords. You need to generate a key pair for use in password masking. By default JBoss Enterprise Application Platform 5 expects a key pair with the alias jboss in a key store at jboss-as/bin/password/password.keystore.
The following procedures follow this default configuration. If you wish to change the key store location or key alias you will need to change the default configuration, and should refer to Section 16.6, “Changing the password masking defaults” for instructions.

Procedure 16.2. Generate a key pair and key store for password masking

  1. At the command line, change directory to the jboss-as/bin/password directory.
  2. Use keytool to generate the key pair with the following command: 
    keytool -genkey -alias jboss -keyalg RSA -keysize 1024 -keystore password.keystore
    Important:

    You must specify the same password for the key store and key pair

  3. Optional:

    Make the resulting password.keystore readable by the JBoss Application Server process owner only.

    On Unix-based systems this is accomplished by using the chown command to change ownership to the JBoss Application Server process owner, and chmod 600 password.keystore to make the file readable only by the owner.
    This step is recommended to increase the security of your server.
    Note: the JBoss Application Server process owner should not have interactive console log in access. In that case you will be performing these operations as another user. Creating masked passwords requires read access to the key store, so you may wish to complete configuration of masked passwords before restricting the key store file permissions.
For more on key stores and the keytool command, refer to Section 15.1, “SSL Encryption overview”.