Vault values via EAP CLI does not work properly
Environment
- Red Hat JBoss Enterprise Application Platform
- 7
Issue
- How to set masked vault value via CLI when
resolve-parameter-valuesset to true injboss-cli.xml? - When setting masked vault values via CLI script they get stripped off
$, wordVAULTand braces{}
[standalone@localhost:9990 /] /core-service=management/security-realm=httpsRealm/server-identity=ssl:write-attribute(name=keystore-password,value="${VAULT::realm::password::1}")
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
[standalone@localhost:9990 /] /core-service=management/security-realm=httpsRealm/server-identity=ssl:read-resource
{
"outcome" => "success",
"result" => {
"alias" => "jboss",
"enabled-cipher-suites" => undefined,
"enabled-protocols" => [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"key-password" => undefined,
"keystore-password" => ":realm::password::1",
"keystore-path" => "/home/user/jboss-eap-6.3/ssl/newkey.jks",
"keystore-provider" => "JKS",
"keystore-relative-to" => undefined,
"protocol" => "TLS"
},
"response-headers" => {"process-state" => "reload-required"}
}
- In 6.4, quoting the values to set a Vault reference was enough but something has evidently changed.
Resolution
When resolve-parameter-values is set to true in jboss-cli.xml, it tries to resolve the expressions (system properties specified as command argument or operation parameter values).
Hence to ignore expression, pass the vault value prefixing with and extra $ symbol when resolve-parameter-values set to true. This may also be needed in some cases when resolve-parameter-values is set to false. For example:
[standalone@localhost:9990 /] /core-service=management/security-realm=httpsRealm/server-identity=ssl:write-attribute(name=keystore-password,value="$${VAULT::realm::password::1}")
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
[standalone@localhost:9990 /] /core-service=management/security-realm=httpsRealm/server-identity=ssl:read-resource
{
"outcome" => "success",
"result" => {
"alias" => "jboss",
"enabled-cipher-suites" => undefined,
"enabled-protocols" => [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"key-password" => undefined,
"keystore-password" => expression "${VAULT::realm::password::1}",
"keystore-path" => "/home/user/jboss-eap-6.3/ssl/newkey.jks",
"keystore-provider" => "JKS",
"keystore-relative-to" => undefined,
"protocol" => "TLS"
},
"response-headers" => {"process-state" => "reload-required"}
}
The additional $ is a special character to escape the following expression.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments