11.13.5. Configure JBoss EAP 6 to Use a Custom Implementation of the Password Vault


You can use your own implementation of SecurityVault to mask passwords and other sensitive attributes in configuration files.

Procedure 11.43. Use a Custom Implementation of the Password Vault

  1. Create a class that implements the interface SecurityVault.
  2. Create a module containing the class from the previous step, and specify a dependency on org.picketbox where the interface is SecurityVault.
  3. Enable the custom Password Vault in the JBoss EAP server configuration by adding the vault element with the following attributes:
    The fully qualified name of class that implements SecurityVault.
    The name of the module that contains the custom class.
    Optionally, you can use vault-options parameters to initialize the custom class for a Password Vault. For example:
    /core-service=vault:add(code="custom.vault.implementation.CustomSecurityVault", module="custom.vault.module", vault-options=[("KEYSTORE_URL" => "PATH_TO_KEYSTORE"), ("KEYSTORE_PASSWORD" => "MASKED_PASSWORD"), ("KEYSTORE_ALIAS" => "ALIAS"), ("SALT" => "SALT"),("ITERATION_COUNT" => "ITERATION_COUNT"), ("ENC_FILE_DIR" => "ENC_FILE_DIR")])

JBoss EAP 6 is configured to decrypt masked strings using a custom implementation of the password vault.