Vault values via EAP CLI does not work properly

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform
    • 7

Issue

  • How to set masked vault value via CLI when resolve-parameter-values set to true in jboss-cli.xml?
  • When setting masked vault values via CLI script they get stripped off $, word VAULT and braces {}

[standalone@localhost:9990 /] /core-service=management/security-realm=httpsRealm/server-identity=ssl:write-attribute(name=keystore-password,value="${VAULT::realm::password::1}") { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } [standalone@localhost:9990 /] /core-service=management/security-realm=httpsRealm/server-identity=ssl:read-resource { "outcome" => "success", "result" => { "alias" => "jboss", "enabled-cipher-suites" => undefined, "enabled-protocols" => [ "TLSv1", "TLSv1.1", "TLSv1.2" ], "key-password" => undefined, "keystore-password" => ":realm::password::1", "keystore-path" => "/home/user/jboss-eap-6.3/ssl/newkey.jks", "keystore-provider" => "JKS", "keystore-relative-to" => undefined, "protocol" => "TLS" }, "response-headers" => {"process-state" => "reload-required"} }
  • In 6.4, quoting the values to set a Vault reference was enough but something has evidently changed.

Resolution

When resolve-parameter-values is set to true in jboss-cli.xml, it tries to resolve the expressions (system properties specified as command argument or operation parameter values).
Hence to ignore expression, pass the vault value prefixing with and extra $ symbol when resolve-parameter-values set to true. This may also be needed in some cases when resolve-parameter-values is set to false. For example:

[standalone@localhost:9990 /] /core-service=management/security-realm=httpsRealm/server-identity=ssl:write-attribute(name=keystore-password,value="$${VAULT::realm::password::1}")
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}
[standalone@localhost:9990 /] /core-service=management/security-realm=httpsRealm/server-identity=ssl:read-resource
{
    "outcome" => "success",
    "result" => {
        "alias" => "jboss",
        "enabled-cipher-suites" => undefined,
        "enabled-protocols" => [
            "TLSv1",
            "TLSv1.1",
            "TLSv1.2"
        ],
        "key-password" => undefined,
        "keystore-password" => expression "${VAULT::realm::password::1}",
        "keystore-path" => "/home/user/jboss-eap-6.3/ssl/newkey.jks",
        "keystore-provider" => "JKS",
        "keystore-relative-to" => undefined,
        "protocol" => "TLS"
    },
    "response-headers" => {"process-state" => "reload-required"}
}

The additional $ is a special character to escape the following expression.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments