Chapter 18. Encrypting the Keystore Password in a Tomcat Connector

Procedure 18.1. Encrypt Tomcat Container Keystore Password

1. Append connector element

   Add a connector element in server.xml in $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar

     
   <!-- SSL/TLS Connector with encrypted keystore password configuration  -->
   <Connector port="8443" address="${jboss.bind.address}"
      maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
      scheme="https" secure="true" clientAuth="true"
      sslProtocol="TLS"
      securityDomain="java:/jaas/encrypt-keystore-password"
      SSLImplementation="org.jboss.net.ssl.JBossImplementation" >
   </Connector>

   .

2. Configure JaasSecurityDomain MBean

   Set the JaasSecurityDomain MBean in a $JBOSS_HOME/server/$PROFILE/deploy/security-service.xml file.
   If the file does not exist, you must create it. The code sample describes the content required when the file does not exist. If you already have a security-service.xml, append the <mbean> element block to the file.

   <server>
      <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
         name="jboss.security:service=PBESecurityDomain">
         <constructor>
            <arg type="java.lang.String" value="encrypt-keystore-password"></arg>
         </constructor>
         <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
         <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password</attribute>
         <attribute name="Salt">welcometojboss</attribute>
         <attribute name="IterationCount">13</attribute>
      </mbean>
   </server>

   The Salt and IterationCount are the variables that define the strength of your encrypted password, so you can vary it from what is shown. Ensure you record the new values, and use when generating the encrypted password.

   Note

   The Salt must be at least eight characters long.

3. Generate encrypted password

   The <mbean> configuration specifies that the keystore is stored in the jboss-as/server/$PROFILE/conf/localhost.keystore file. The <mbean> also specifies the encrypted password file is stored in jboss-as/server/$PROFILE/conf/keystore.password file.
   You must create the localhost.keystore file.
   Execute the following command in the jboss-as/server/$PROFILE/conf directory.

   [conf]$ java -cp $JBOSS_HOME/lib/jbosssx.jar \org.jboss.security.plugins.FilePassword welcometojboss 13 unit-tests-server keystore.password

   This command uses jbosssx.jar as the classpath (-cp) and the FilePassword security plugin to create a keystore.password file with the password set as unit-tests-server. To verify you have permission to create a keystore.password file, you supply the salt and iteration parameters configured in the <mbean> <attribute> elements of the JaasSecurityDomain.
   You execute this command in the /conf directory so the keystore.password file is saved to this directory.

4. Update the Tomcat service MBean

   Navigate to $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar/META-INF .
   Open jboss-service.xml and append the following <depends> tag toward the end of the file. Adding the <depends> tag specifies that Tomcat must start after jboss.security:service=PBESecurityDomain .

         <depends>jboss.security:service=PBESecurityDomain</depends>
      </mbean>
   </server>