11.13.3. Mask the Keystore Password and Initialize the Password Vault

  1. Run the vault.sh command.

    Run EAP_HOME/bin/vault.sh. Start a new interactive session by typing 0.
  2. Enter the directory where encrypted files will be stored.

    This directory should be accessible to only limited users. At a minimum the user account under which JBoss EAP is running requires read-write access. If you followed Section 11.13.2, “Create a Java Keystore to Store Sensitive Strings”, your keystore is in a directory called EAP_HOME/vault/.


    Do not forget to include the trailing slash on the directory name. Either use / or \, depending on your operating system.
  3. Enter the path to the keystore.

    Enter the full path to the keystore file. This example uses EAP_HOME/vault/vault.keystore.
  4. Encrypt the keystore password.

    The following steps encrypt the keystore password, so that you can use it in configuration files and applications securely.
    1. Enter the keystore password.

      When prompted, enter the keystore password.
    2. Enter a salt value.

      Enter an 8-character salt value. The salt value, together with the iteration count (below), are used to create the hash value.
    3. Enter the iteration count.

      Enter a number for the iteration count.
    4. Make a note of the masked password information.

      The masked password, the salt, and the iteration count are printed to standard output. Make a note of them in a secure location. An attacker could use them to decrypt the password.
    5. Enter the alias of the vault.

      When prompted, enter the alias of the vault. If you followed Section 11.13.2, “Create a Java Keystore to Store Sensitive Strings” to create your vault, the alias is vault.
  5. Exit the interactive console.

    Type 2 to exit the interactive console.

Your keystore password has been masked for use in configuration files and deployments. In addition, your vault is fully configured and ready to use.