Chapter 8. Using a Password Vault with Red Hat JBoss Web Server 3

8.1. Using a Password Vault with Red Hat JBoss Web Server 3

A password vault is used to mask passwords and other sensitive strings, and store them in an encrypted Java keystore. This allows you to eliminate storing clear-text passwords in your Tomcat configuration files, as Tomcat can lookup passwords and other sensitive strings from a keystore using the vault.

The examples and commands below use JWS_HOME as the JBoss Web Server installation directory. Replace JWS_HOME with the path to your JBoss Web Server installation. Also, the paths below use / for directory separators.

8.1.1. Installing the JBoss Web Server password vault

There are two methods of installing the JBoss Web Server password vault:

8.1.1.1. Installing the JBoss Web Server password vault on Red Hat Enterprise Linux from an RPM

Where the JBoss Web Server has been installed from RPMs on Red Hat Enterprise Linux, install the password vault as the root user by executing:

yum install tomcat-vault tomcat-vault-tomcat<VERSION>

Where <VERSION> is either 7 for tomcat 7 (tomcat-vault-tomcat7) or 8 for tomcat 8 (tomcat-vault-tomcat8).

Note

In the tomcat-vault RPM installation, the vault jar is located in /usr/share/java/vault-tomcat-<VERSION>-jar-with-dependencies.jar. This jar can be used in JWS zip installation: JWS_HOME/tomcat_<VERSION>_/lib/ For JWS RPM installation: /usr/share/tomcat<VERSION>/lib.

8.1.1.2. Downloading and Extracting the Vault Files from a .zip archive

  1. Stop Tomcat if it is running.
  2. Extract the contents of the vault zip to your JWS_HOME directory. In this topic, JWS_HOME/tomcat-vault will refer to the extracted vault directory.
  3. Copy JWS_HOME/tomcat-vault/modules/system/layers/base/tomcat-vault/main/tomcat-vault.jar to JWS_HOME/tomcat<VERSION>/lib/. Edit JWS_HOME/tomcat<VERSION>/conf/catalina.properties, and add the following line:
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.vault.util.PropertySourceVault

8.1.2. Creating a Java Keystore

To use a password vault, you must first create a Java keystore. You can do this using the keytool -genseckey command. For example:

$ keytool -genseckey -keystore JWS_HOME/tomcat/vault.keystore -alias my_vault  -storetype jceks -keyalg AES -keysize 128 -storepass <vault_password> -keypass <vault_password> -validity 730
Important

The values above are examples only. Replace them with values specific to your environment.

For an explanation of the parameters, use the keytool -genseckey -help command.

8.1.3. Storing the tomcat-vault vault.properties file outside of the JWS_HOME directory

This feature was introduced by JBoss Web Server 3.1 Service Pack 2.

The vault.properties file for the tomcat-vault can be stored outside of JWS_HOME/tomcat<VERSION>/conf/ in a CATALINA_BASE/conf/ directory (if set).

To set the CATALINA_BASE directory, follow the instructions in the section 'Advanced Configuration - Multiple Tomcat Instances' in the Running The Apache Tomcat 8.0 Servlet/JSP Container document found on the Apache Tomcat Website.

Note

The default location for CATALINA_BASE is JWS_HOME/tomcat<VERSION>/ (also known as CATALINA_HOME).

For more information on setting CATALINA_BASE, see:

8.1.4. Initializing the Password Vault

The vault must be initialized before it can be used to store sensitive strings. This is done using the JWS_HOME/tomcat-vault/bin/tomcat-vault.sh vault script. For Microsoft Windows, the script is tomcat-vault.bat.

The script can be run interactively or non-interactively. Below is an example of an interactive execution of the script to initialize a password vault, with the values shown below using the example keystore from the previous step.

8.1.4.1. Initializing the Vault for Apache Tomcat interactively

Important

The values below are examples only. Replace them with values appropriate for your environment.

# JWS_HOME/tomcat-vault/bin/tomcat-vault.sh

WARNING JBOSS_HOME may be pointing to a different installation - unpredictable results may occur.

=========================================================================

  JBoss Vault

  JBOSS_HOME: JWS_HOME/tomcat-vault

  JAVA: java

=========================================================================

**********************************
****  JBoss Vault  ***************
**********************************
Please enter a Digit::
0: Start Interactive Session
1: Remove Interactive Session
2: Exit

0

Starting an interactive session
Enter directory to store encrypted files: JWS_HOME/tomcat-vault/
Enter Keystore URL: JWS_HOME/tomcat-vault/vault.keystore
Enter Keystore password: <vault_password>
Enter Keystore password again: <vault_password>
Values match
Enter 8 character salt: 1234abcd
Enter iteration count as a number (Eg: 44): 120
Enter Keystore Alias: my_vault
Initializing Vault
Jun 16, 2018 10:24:27 AM org.apache.tomcat.vault.security.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in tomcat properties file:
********************************************
...
KEYSTORE_URL=JWS_HOME/tomcat-vault/vault.keystore
KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/
KEYSTORE_ALIAS=my_vault
SALT=1234abcd
ITERATION_COUNT=120
ENC_FILE_DIR=JWS_HOME/tomcat-vault/
...
**
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit::
0: Store a secured attribute
1: Check whether a secured attribute exists
2: Exit

2

Note the output for the Tomcat properties file, as you will need this to configure Tomcat to use the vault.

Configuring Tomcat to Use the Password Vault

In JWS_HOME/tomcat<VERSION>/conf/, create a file named vault.properties containing the vault configuration produced when initializing the vault. The values provided below use the example vault initialized in the previous steps.

Note

For KEYSTORE_PASSWORD, you must use the masked value that was generated when initializing the vault.

KEYSTORE_URL=JWS_HOME/tomcat-vault/vault.keystore
KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/
KEYSTORE_ALIAS=my_vault
SALT=1234abcd
ITERATION_COUNT=120
ENC_FILE_DIR=JWS_HOME/tomcat-vault/

8.1.4.2. Initializing the Vault for Apache Tomcat non-interactively (silent setup)

The Vault for Apache Tomcat can be created non-interactively by providing the required input as arguments to the tomcat-vault.sh script. The vault.properties file is also created as output of the tomcat-vault.sh script when the -g, --generate-config option is used.

Important

The values below are examples only. Replace them with values appropriate for your environment.

$ JWS_HOME/tomcat-vault/bin/tomcat-vault.sh \
 --keystore JWS_HOME/tomcat-vault/vault.keystore \
 --keystore-password <vault_password> \
 --alias my_vault \
 --enc-dir JWS_HOME/tomcat-vault/ \
 --iteration 120 \
 --salt 1234abcd \
 --generate-config JWS_HOME/tomcat<VERSION>/conf/vault.properties

8.1.5. Storing a Sensitive String in the Password Vault

The vault script used in the previous steps is also used to store sensitive strings in the password vault. The script can be run interactively or non-interactively.

When adding a string to a password vault, the sensitive string needs a name that it will be referred by. For a password vault, this name is called an attribute name, and the password itself is called a secured attribute.

The example below demonstrates using the vault script non-interactively to store a password. It uses the vault that was initialized in the previous steps, and stores the sensitive string P@SSW0#D with the attribute name manager_password.

$ JWS_HOME/tomcat-vault/bin/tomcat-vault.sh --keystore JWS_HOME/tomcat-vault/vault.keystore --keystore-password <vault_password> --alias my_vault --enc-dir JWS_HOME/tomcat-vault/ --iteration 120 --salt 1234abcd --vault-block my_block --attribute manager_password --sec-attr P@SSW0#D
Note

You can optionally specify a vault block to store the password in. If you don’t specify a block, one will be automatically created for you. In the above example, my_block is used.

8.1.6. Using a Stored Sensitive String in Your Tomcat Configuration

After storing a sensitive string in the password vault, you can refer to it in your configuration files by entering the stored string’s attribute as ${VAULT::block_name::attribute_name::}.

For example, to use the password stored in the previous steps, replace:

<user username="manager" password="P@SSW0#D" roles="manager-gui"/>

with:

<user username="manager" password="${VAULT::my_block::manager_password::}" roles="manager-gui"/>

As a result, only a reference to the password is visible in the Tomcat configuration file, and the actual password is only stored in the password vault.