BRMS Rule Package Signing - Encrypting keystore credentials
Introduction
The BRMS Properties Service provides encryption services that mask the usernames, passwords and keystore locations used by JBoss Enterprise BRMS Platform for Rule Package Signing. The attached SAR file contains both a command line tool to encrypt the properties and a service that provides decryption of those properties at runtime.
This service is designed for use with the Rule Package Signing feature of JBoss Enterprise BRMS Platform. Refer to the Security chapter of the JBoss Enterprise BRMS Platform Administrator Guide for more information at http://docs.redhat.com/docs/en-US/JBoss_Enterprise_BRMS_Platform/5/html/BRMS_Administrator_Guide/chap-security.html#BRMS_AdminGuide-signing_config
Password masking is an obfuscation technique that provides an additional defense in depth layer of security. The use of password encryption does not negate the need for strong passwords nor the need to adequately secure access to the server machine.
Encrypting keystore credentials
1. Setup Rule Package Signing
Rule Package Signing must be configured first. Refer to the Security chapter of the JBoss Enterprise BRMS Platform Administrator Guide for instructions.
2. Deploy the drools properties service
Download and extract drools-propertiesservice-5.1.0.BRMS.sar.zip attached to this document. Deploy it to your JBoss application server by copying it into the jboss-as/server/PROFILE/deploy directory. This is the same directory that the jboss-brm.war application is deployed in.
3. Generate Encrypted values
Open a terminal window and run the encryption command from the SAR file. The exact command to do this differs depending on the application server version that is deployed and the directory where you run it. The examples below show running the command for JBoss 4.3 and 5.1 Platforms installed into the /opt/jboss-brms/ directory using the production server profile:
-
Running the encryption command with JBoss Enterprise Application Platform 4
[localhost ]$ cd /opt/jboss-brms/jboss-as/server/production [localhost ]$ java -cp lib/log4j.jar:deploy/drools-propertiesservice-5.1.0.BRMS.sar org.drools.propertiesservice.PropertiesService -
Running the encryption command with JBoss Enterprise Application Platform 5.1
[localhost ]$ cd /opt/jboss-brms/jboss-as/server/production [localhost ]$ java -cp ../../lib/jboss-logging-log4j.jar:deploy/drools-propertiesservice-5.1.0.BRMS.sar org.drools.propertiesservice.PropertiesService
The encryption command will prompt you for the following values:
- private keystore url
- private keystore password
- private key alias
- private key password
- public keystore url
- public keystore password
Enter those details and the encryption command produces the encrypted properties output.
4. Copy output to new brms.properties file
After all the required values have been entered the encryption command will output the content that needs to be copied to the new properties file.
Create the new file jboss-as/server/PROFILE/brms.properties and copy the last 7 lines of the output into it.
Example:
drools.serialization.sign=6e97ce6df850086f
drools.serialization.private.keyStoreURL=-52f055ba4d9e578abd82285f9eb9ff3a95e5a10bb2fc5efbdd4a2866fea76d3de5050c3fc856f
drools.serialization.private.keyStorePwd=-7740cdb162c4afa5
drools.serialization.private.keyAlias=1ed174f246bfdce3ff1ec5e41cee4549
drools.serialization.private.keyPwd=-7740cdb162c4afa5
drools.serialization.public.keyStoreURL=-52f055ba4d9e578abd82285f9eb9ff3a63193b39c395cb64366f58aee952b80c8092ae3791f6e18836
drools.serialization.public.keyStorePwd=-7740cdb162c4afa5
5. Ensure old package signing information is removed.
If these details where previously set as plaintext, then those must be removed. Check both the jboss-as/server/PROFILE/deploy/properties-service.xml and jboss-brms.war/WEB-INF/classes/preferences.properties files for any previously entered plaintext properties and remove them.
When the application server is launched, the SAR file will deploy and make the decrypted properties available.
Comments