Chapter 6. Vault For Red Hat JBoss Web Server

6.1. About password vault in Red Hat JBoss Web Server 5.3

Tomcat-vault is a PicketLink vault extension for Apache Tomcat that allows users to mask passwords and other sensitive strings, and store them in an encrypted Java keystore. Using the vault enables you to stop storing clear-text passwords in your Tomcat configuration files, because Tomcat can lookup passwords and other sensitive strings from a keystore using the vault.

Important

For Using CRYPT with the Vault, refer Using CRYPT.

6.2. Installing the JBoss Web Server password vault from .zip archive

As tomcat password vault is pre-installed by the jws-5.3.0-application-server.zip file. The password vault can be used once configured and it is located at: JWS_HOME/tomcat/lib/tomcat-vault.jar.

6.3. Installing the JBoss Web Server password vault on Red Hat Enterprise Linux using the YUM package manager

If the JBoss Web Server has been installed from RPMs on Red Hat Enterprise Linux, you need to install the JBoss Web Server RPM for tomcat-vault.

Procedure

  • Install the password vault as the root user by executing:

    yum install jws5-tomcat-vault

6.4. Enabling password vault in JBoss Web Server

In the following procedure, replace JWS_HOME with the path to your JBoss Web Server installation. Also, the paths below use / for directory separators.

Procedure

  1. Stop Tomcat if it is running.
  2. Edit JWS_HOME/tomcat/conf/catalina.properties, and add the following line:

    org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.vault.util.PropertySourceVault

6.5. Creating a Java Keystore in JBoss Web Server

To use a password vault, you must first create a Java keystore.

Important

The values in the procedure are examples only. Replace them with values specific to your environment.

For an explanation of the parameters, use the keytool -genseckey -help command.

Procedure

  • Create a Java keystore using the keytool -genseckey command:

    $ keytool -genseckey -keystore JWS_HOME/tomcat/vault.keystore -alias my_vault  -storetype jceks -keyalg AES -keysize 128 -storepass <vault_password> -keypass <vault_password> -validity 730

6.6. External password vault configuration

The vault.properties file for the tomcat-vault can be stored outside of JWS_HOME/tomcat/conf/ in a CATALINA_BASE/conf/ directory (if set).

To set the CATALINA_BASE directory, follow the instructions in the section Advanced Configuration - Multiple Tomcat Instances in the Running The Apache Tomcat 9.0 Servlet/JSP Container document found on the Apache Tomcat Website.

Note

The default location for CATALINA_BASE is JWS_HOME/tomcat/ also known as CATALINA_HOME.

Additional Resources

For more information on setting CATALINA_BASE, see:

6.7. Initializing Password Vault

6.7.1. Initializing password vault for Apache Tomcat interactively

Important

The values below are examples only. Replace them with values appropriate for your environment.

Procedure

  • Initialize password vault using the tomcat-vault.sh script:

    # JWS_HOME/tomcat/bin/tomcat-vault.sh
    
    WARNING JBOSS_HOME may be pointing to a different installation - unpredictable results may occur.
    
    =========================================================================
    
      JBoss Vault
    
      JBOSS_HOME: JWS_HOME/tomcat
    
      JAVA: java
    
    =========================================================================
    
    **********************************
    ****  JBoss Vault  ***************
    **********************************
    Please enter a Digit::
    0: Start Interactive Session
    1: Remove Interactive Session
    2: Exit
    
    0
    
    Starting an interactive session
    Enter directory to store encrypted files: JWS_HOME/tomcat/
    Enter Keystore URL: JWS_HOME/tomcat/vault.keystore
    Enter Keystore password: <vault_password>
    Enter Keystore password again: <vault_password>
    Values match
    Enter 8 character salt: 1234abcd
    Enter iteration count as a number (Eg: 44): 120
    Enter Keystore Alias: my_vault
    Initializing Vault
    Jun 16, 2018 10:24:27 AM org.apache.tomcat.vault.security.vault.PicketBoxSecurityVault init
    INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
    Vault Configuration in tomcat properties file:
    ********************************************
    ...
    KEYSTORE_URL=JWS_HOME/tomcat/vault.keystore
    KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/
    KEYSTORE_ALIAS=my_vault
    SALT=1234abcd
    ITERATION_COUNT=120
    ENC_FILE_DIR=JWS_HOME/tomcat/
    ...
    ********************************************
    Vault is initialized and ready for use
    Handshake with Vault complete
    Please enter a Digit::
    0: Store a secured attribute
    1: Check whether a secured attribute exists
    2: Exit
    
    2

Note the output for the Tomcat properties file, as you will need this to configure Tomcat to use the vault.

6.7.2. Initializing the Vault for Apache Tomcat non-interactively (silent setup)

The Vault for Apache Tomcat can be created non-interactively by providing the required input as arguments to the tomcat-vault.sh script. The vault.properties file is also created as output of the tomcat-vault.sh script when the -g, --generate-config option is used.

Important

The values below are examples only. Replace them with values appropriate for your environment.

Procedure

  • Initialize password vault using the tomcat-vault.sh script:
$ JWS_HOME/tomcat/bin/tomcat-vault.sh \
 --keystore JWS_HOME/tomcat/vault.keystore \
 --keystore-password <vault_password> \
 --alias my_vault \
 --enc-dir JWS_HOME/tomcat/ \
 --iteration 120 \
 --salt 1234abcd \
 --generate-config JWS_HOME/tomcat/conf/vault.properties

6.8. Configuring Tomcat to use the password vault

Prerequisites

Procedure

  • In JWS_HOME/tomcat/conf/, create a file named vault.properties containing the vault configuration produced when initializing the vault.

    The values provided below use the example vault initialized in procedure Initializing password vault for Apache Tomcat interactively

    Note

    For KEYSTORE_PASSWORD, you must use the masked value that was generated when initializing the vault.

    KEYSTORE_URL=JWS_HOME/tomcat/vault.keystore
    KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/
    KEYSTORE_ALIAS=my_vault
    SALT=1234abcd
    ITERATION_COUNT=120
    ENC_FILE_DIR=JWS_HOME/tomcat/