16.3. Encrypt the key store password

With password masking, passwords needed by JBoss services are not stored in clear text in xml configuration files. Instead they are stored in a file that is encrypted using a key pair that you provide.
In order to decrypt this file and access the masked passwords at run time, JBoss Application Server needs to be able to use the key pair you created. You provide the key store password to JBoss Application Server by means of the JBoss Password Tool, password_tool. This tool will encrypt and store your key store password. Your key store password will then be available to the JBoss Password Tool for masking passwords, and to the JBoss Application Server for decrypting them at run time.

Procedure 16.3. Encrypt the key store password

  1. At the command line, change to the jboss-as/bin directory.
  2. Run the password tool, using the command ./password_tool.sh for Unix-based systems, or password_tool.bat for Windows-based systems.
    Result:

    The JBoss Password Tool will start, and will report 'Keystore is null. Please specify keystore below:'.

  3. Select '0: Encrypt Keystore Password' by pressing 0, then Enter.
    Result:

    The password tool responds with 'Enter keystore password'.

  4. Result:

    The password tool responds with 'Enter Salt (String should be at least 8 characters)'.

  5. Enter a random string of characters to aid with encryption strength.
    Result:

    The password tool responds with 'Enter Iterator Count (integer value)'.

  6. Enter a whole number to aid with encryption strength.
    Result:

    The password tool responds with: 'Keystore Password encrypted into password/jboss_keystore_pass.dat'.

  7. Select '5:Exit' to exit.
    Result:

    The password tool will exit with the message: 'Keystore is null. Cannot store.'. This is normal.

  8. Optional:

    Make the resulting file password/jboss_keystore_pass.dat readable by the JBoss Application Server process owner only.

    On Unix-based systems this is accomplished by using the chown command to change ownership to the JBoss Application Server process owner, and chmod 600 jboss-keystore_pass.dat to make the file readable only by the owner.
    This step is recommended to increase the security of your server. Be aware that if this encrypted key is compromised, the security offered by password masking is significantly reduced. This file should be stored on a secure file system.
    Note: the JBoss Application Server process owner should not have interactive console log in access. In this case you will be performing these operations as another user. Creating masked passwords requires read access to the key store, so you may wish to complete configuration of masked passwords before restricting the key store file permissions.
Note:

You should only perform this key store password encryption procedure once. If you make a mistake entering the keystore password, or you change the key store at a later date, you should delete the jboss-keystore_pass.dat file and repeat the procedure. Be aware that if you change the key store any masked passwords that were previously generated will no longer function.