14.7.4. Configure JBoss EAP 6 to Use the Password Vault


Before you can mask passwords and other sensitive attributes in configuration files, you need to make JBoss EAP 6 aware of the password vault which stores and decrypts them. Follow this procedure to enable this functionality.

Procedure 14.7. Setup a Password Vault

  1. Determine the correct values for the command.

    Determine the values for the following parameters, which are determined by the commands used to create the keystore itself. For information on creating a keystore, refer to the following topics: Section 14.7.2, “Create a Java Keystore to Store Sensitive Strings” and Section 14.7.3, “Mask the Keystore Password and Initialize the Password Vault”.
    Parameter Description
    The file system path or URI of the keystore file, usually called something like vault.keystore
    The password used to access the keystore. This value should be masked.
    The name of the keystore.
    The salt used to encrypt and decrypt keystore values.
    The number of times the encryption algorithm is run.
    The path to the directory from which the keystore commands are run. Typically the directory containing the password vault.
    host (managed domain only)
    The name of the host you are configuring
  2. Use the Management CLI to enable the password vault.

    Run one of the following commands, depending on whether you use a managed domain or standalone server configuration. Substitute the values in the command with the ones from the first step of this procedure.
    • Managed Domain

    • Standalone Server

    The following is an example of the command with hypothetical values:
    /core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/user/vault/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-3y28rCZlcKR"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "12438567"),("ITERATION_COUNT" => "50"), ("ENC_FILE_DIR" => "/home/user/vault/")])

JBoss EAP 6 is configured to decrypt masked strings using the password vault. To add strings to the vault and use them in your configuration, refer to the following topic: Section 14.7.5, “Store and Retrieve Encrypted Sensitive Strings in the Java Keystore”.