3.8.3. Mask the Keystore Password and Initialize the Password Vault


  1. Run the vault.sh command.

    Run EAP_HOME/bin/vault.sh. Start a new interactive session by typing 0.
  2. Enter the directory where encrypted files will be stored.

    This directory should be reasonably secure, but JBoss EAP 6 needs to be able to access it. If you followed Section 3.8.2, “Create a Java Keystore to Store Sensitive Strings”, your keystore is in a directory called vault/ in your home directory. This example uses the directory /home/USER/vault/.


    Do not forget to include the trailing slash on the directory name. Either use / or \, depending on your operating system.
  3. Enter the path to the keystore.

    Enter the full path to the keystore file. This example uses /home/USER/vault/vault.keystore.
  4. Encrypt the keystore password.

    The following steps encrypt the keystore password, so that you can use it in configuration files and applications securely.
    1. Enter the keystore password.

      When prompted, enter the keystore password.
    2. Enter a salt value.

      Enter an 8-character salt value. The salt value, together with the iteration count (below), are used to create the hash value.
    3. Enter the iteration count.

      Enter a number for the iteration count.
    4. Make a note of the masked password information.

      The masked password, the salt, and the iteration count are printed to standard output. Make a note of them in a secure location. An attacker could use them to decrypt the password.
    5. Enter the alias of the vault.

      When prompted, enter the alias of the vault. If you followed Section 3.8.2, “Create a Java Keystore to Store Sensitive Strings” to create your vault, the alias is vault.
  5. Exit the interactive console.

    Type 2 to exit the interactive console.

Your keystore password has been masked for use in configuration files and deployments. In addition, your vault is fully configured and ready to use.