Can we use the VAULT to encrypt the keystore password in jboss-cli.xml in JBoss EAP?

Resolution

This feature was added starting in EAP 6.3. CLI can use vault to encrypt passwords in its configuration file jboss-cli.xml. Vault configuration is referenced from jboss-cli.xml, and keystore/truststore passwords can be loaded from vault. Check encrypting passwords with vault tool before proceeding.

EAP 6.3+

Example configuration of SSL with vaulted passwords in jboss-cli.xml:

<ssl>
    <vault file="vault-config.xml"/>
...
    <key-store-password>VAULT::VB::cli_pass::1</key-store-password>
    <key-password>VAULT::VB::cli_pass::1</key-password>
    <trust-store-password>VAULT::VB::cli_pass::1</trust-store-password>
</ssl>

vault file: is reference to file which contains configuration information of vault (the content which is generated with ./vault.sh tool)

Example vault-config.xml file:

<vault>
  <vault-option name="KEYSTORE_URL" value="path-to/vault/vault.keystore"/>
  <vault-option name="KEYSTORE_PASSWORD" value="MASK-5WNXs8oEbrs"/>
  <vault-option name="KEYSTORE_ALIAS" value="vault"/>
  <vault-option name="SALT" value="12345678"/>
  <vault-option name="ITERATION_COUNT" value="50"/>
  <vault-option name="ENC_FILE_DIR" value="path-to/jboss-eap-6.3/vault/"/>
</vault>

EAP 7

Example jboss-cli.xml:

<ssl>
  <vault>
    <vault-option name="KEYSTORE_URL" value="/path-to/vault/vault.keystore"/>
    <vault-option name="KEYSTORE_PASSWORD" value="MASK-5WNXs8oEbrs"/>
    <vault-option name="KEYSTORE_ALIAS" value="vault"/>
    <vault-option name="SALT" value="12345678"/>
    <vault-option name="ITERATION_COUNT" value="50"/>
    <vault-option name="ENC_FILE_DIR" value="EAP_HOME/vault/"/>
  </vault>
  <alias>HOST2_alias</alias>
  <key-store>/path/to/HOST2.keystore.jks</key-store>
  <key-store-password>VAULT::VB::cli_pass::1</key-store-password>
  <key-password>VAULT::VB::cli_pass::1</key-password>
  <trust-store>/path/to/HOST2.truststore.jks</trust-store>
  <trust-store-password>VAULT::VB::cli_pass::1</trust-store-password>
  <modify-trust-store>true</modify-trust-store>
</ssl>

In cases where both a security-realm and ssl-context were defined for the Management Interface, JBoss EAP will use the SSL/TLS configuration provided by ssl-context.