Chapter 18. Encrypting the Keystore Password in a Tomcat Connector

Procedure 18.1. Encrypt Tomcat Container Keystore Password

1. Append connector element

   Add a connector element in server.xml in $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar

     <!-- SSL/TLS Connector with encrypted keystore password configuration  -->
   <Connector port="8443" address="${jboss.bind.address}"
      maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
      scheme="https" secure="true" clientAuth="true"
      sslProtocol="TLS"
      securityDomain="java:/jaas/encrypt-keystore-password"
      SSLImplementation="org.jboss.net.ssl.JBossImplementation" >
   </Connector>

   .

2. Configure JaasSecurityDomain MBean

   Set the JaasSecurityDomain MBean in the $JBOSS_HOME/server/$PROFILE/deploy/security-service.xml file.
   If the file does not exist, create it. The code sample in Example 18.1, “security-service.xml” shows the content you need to add to a newly-created service-security.xml file. If the security-service.xml file exists, append the <mbean> element block to the file.

   Example 18.1. security-service.xml

   <server>
      <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
         name="jboss.security:service=PBESecurityDomain">
         <constructor>
            <arg type="java.lang.String" value="encrypt-keystore-password"></arg>
         </constructor>
         <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
         <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute>
         <attribute name="Salt">welcometojboss</attribute>
         <attribute name="IterationCount">13</attribute>
      </mbean>
   </server>

   Note

   If the keystore contains multiple certificates, you can use the ServerAlias property. The property value specifies the alias of the certificate retrieved by the SSL connector.

   <attribute name="ServerAlias">ssl</attribute>

   The Salt and IterationCount are the variables that define the strength of your encrypted password, so you can vary it from what is shown. Ensure you record the new values, and use when generating the encrypted password.

   Note

   The Salt must be at least eight characters long.

3. Generate encrypted password

   The <mbean> configuration specifies that the keystore is stored in the jboss-as/server/$PROFILE/conf/localhost.keystore file. The <mbean> also specifies the encrypted password file is stored in jboss-as/server/$PROFILE/conf/keystore.password file.
   You must create the localhost.keystore file.
   Execute the following command in the jboss-as/server/$PROFILE/conf directory.

   [conf]$ java -cp $JBOSS_HOME/lib/jbosssx.jar \org.jboss.security.plugins.FilePassword welcometojboss 13 unit-tests-server keystore.password

   This command uses jbosssx.jar as the classpath (-cp) and the FilePassword security plug-in to create a keystore.password file with the password set as unit-tests-server. To verify you have permission to create a keystore.password file, you supply the salt and iteration parameters configured in the <mbean> <attribute> elements of the JaasSecurityDomain.
   You execute this command in the /conf directory so the keystore.password file is saved to this directory.

4. Update the Tomcat service MBean

   Navigate to $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar/META-INF/.
   Open jboss-beans.xml and append the following <depends> tag to the WebServer end of the file. Adding the <depends> tag specifies that Tomcat must start after jboss.security:service=PBESecurityDomain .

   <bean name="WebServer"
   class="org.jboss.web.tomcat.service.deployers.TomcatService">
   ...
   <depends>jboss.security:service=PBESecurityDomain</depends>
   
   ...