Use CLI to configure Vault in JBoss EAP 6/7.0

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6
    • 7
  • Using JBoss EAP Vault for Sensitive Strings
  • Configuring new Vault or automating manually configured one

Issue

  • Created a Vault manually, but need to automate it

  • Migrated to new a version, and old CLI commands get error:

    {
    "outcome" => "failed",
    "failure-description" => "JBAS014749: Operation handler failed: JBAS015804: Error initializing vault --  org.jboss.as.server.services.security.VaultReaderException: JBAS013313: Vault Reader Exception:",
    "rolled-back" => true
}

Resolution

These examples are for domain mode. Replace "HOST" with the name in the host-*.xml being used. In standalone mode, remove /host=HOST.

  • JBoss EAP 7.0

    /host=HOST/core-service=vault:add(vault-options=
{KEYSTORE_URL="/path/to/vault.keystore",KEYSTORE_PASSWORD="MASK-3rauBK.94Lxy3ergkZdex",KEYSTORE_ALIAS="vault",SALT="12345678",ITERATION_COUNT="10"})

  • JBoss EAP 6:

    /host=HOST/core-service=vault:add(vault-options={ "KEYSTORE_URL" => "/path/to/vault.keystore", "KEYSTORE_PASSWORD" => "MASK-3rauBK.94Lxy3ergkZdex", "KEYSTORE_ALIAS" => "vault", "SALT" => "12345678", "ITERATION_COUNT" => "54", "ENC_FILE_DIR" => "/path/to/vault/"})
    • The vault options are not a list so using [] might return exception.
    • The vault options are an object and can be defined using {} instead of []

For detailed information on Vaults, refer to Password Vault

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments