16.4. Create password masks

The JBoss Password Tool maintains an encrypted password file jboss-as/bin/password/jboss_password_enc.dat. This file is encrypted using a key pair you provide to the password tool, and it contains the passwords that will be masked in configuration files. Passwords are stored and retrieved from this file by 'domain', an arbitrary unique identifier that you specify to the Password Tool when storing the password, and that you specify as part of the annotation that replaces that clear text password in configuration files. This allows the JBoss Application Server to retrieve the correct password from the file at run time.

Note

If you previously made the key store and encrypted key store password file readable only by the JBoss Application Server process owner, then you need to perform the following procedure as the JBoss Application Server process owner, or else make the keystore (jboss-as/bin/password/password.keystore) and encrypted key store password file (jboss-as/bin/password/jboss_keystore_pass.dat) readable by your user, and the encrypted passwords file jboss-as/bin/password/jboss_password_enc.dat (if it already exists) read and writable, while you perform this operation.

Procedure 16.4. Create password masks

Prerequisites:

  1. At the command line, change to the jboss-as/bin directory.
  2. Run the password tool, using the command ./password_tool.sh for Unix-based systems, or password_tool.bat for Windows-based systems.
    Result:

    The JBoss Password Tool will start, and will report 'Keystore is null. Please specify keystore below:'.

  3. Select '1:Specify KeyStore' by pressing 1 then Enter.
    Result:

    The password tool responds with 'Enter Keystore location including the file name'.

  4. Enter the path to the key store you created in Procedure 16.2, “Generate a key pair and key store for password masking”. You can specify an absolute path, or the path relative to jboss-as/bin. This should be password/password.keystore, unless you have performed an advanced installation and changed the defaults as per Section 16.6, “Changing the password masking defaults”.
    Result:

    The password tool responds with 'Enter Keystore alias'.

  5. Enter the key alias. This should be jboss, unless you have performed an advanced installation and changed the defaults as per Section 16.6, “Changing the password masking defaults”.
    Result:

    If the key store and key alias are accessible, the password tool will respond with some log4j WARNING messages, then the line 'Loading domains [', followed by any existing password masks, and the main menu.

  6. Select '2:Create Password' by pressing 2, then Enter
    Result:

    The password tool responds with: 'Enter security domain:'.

  7. Enter a name for the password mask. This is an arbitrary unique name that you will use to identify the password mask in configuration files.
    Result:

    The password tool responds with: 'Enter passwd:'.

  8. Enter the password that you wish to mask.
    Result:

    The password tool responds with: 'Password created for domain:mask name'

  9. Repeat the password mask creation process to create masks for all passwords you wish to mask.
  10. Exit the program by choosing '5:Exit'