Red Hat Training

A Red Hat training course is available for Red Hat JBoss Enterprise Application Platform

7.9. Use an Encrypted Sensitive String in Configuration

Prerequisites

Any sensitive string which has been encrypted can be used in a configuration file or Management CLI command in its masked form, providing expressions are allowed.
To confirm if expressions are allowed within a particular subsystem, run the following Management CLI command against that subsystem.

Note

Add the prefix /host=HOST_NAME to the command for a managed domain. 
/core-service=SUBSYSTEM:read-resource-description(recursive=true)

Example 7.8.  List the Description of all Resources in the Management Subsystem 

/core-service=management:read-resource-description(recursive=true)
From the output of running this command, look for the value of the expressions-allowed parameter. If this is true, then you can use expressions within the configuration of this subsystem.
Use the following syntax to replace any plaintext string with the masked form. 
${VAULT::VAULT_BLOCK::ATTRIBUTE_NAME::MASKED_STRING}

Example 7.9.  Datasource Definition Using a Password in Masked Form

In this example the vault block is ds_ExampleDS and the attribute is password. 
...
  <subsystem xmlns="urn:jboss:domain:datasources:1.0">
    <datasources>
      <datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS">
        <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
        <driver>h2</driver>
        <pool></pool>
        <security>
          <user-name>sa</user-name>
          <password>${VAULT::ds_ExampleDS::password::1}</password>
        </security>
      </datasource>
      <drivers>
         <driver name="h2" module="com.h2database.h2">
            <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
         </driver>
      </drivers>
    </datasources>
  </subsystem>
...
Report a bug