Using vault to encrypt the secret for remote host connection

Solution Verified - Updated -

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.x
    • 7.x

Issue

  • Can the vault be used to encrypt the password that can be used as a "secret-value" to be used by remote slave host controller to establish a connection to a secured master domain controller?
  • How to encrypt the secret-value used in host.xml with JBoss Vault?

Resolution

The vault can be used to encrypt the password that is used as secret-value when connecting a host-slave to the domain master.

1. Please, see how to set up a vault:

EAP 7

Encrypting passwords in EAP 7 configuration files using the Vault

EAP 6

How to encrypt passwords in my EAP 6 configuration files using vault?

2. After enabling vault connectivity in the domain, set the secret to being according to the previously stored secret, see the example below:

host-slave.xml snippet:

<host xmlns="urn:jboss:domain:8.0">
    <extensions>
...
    </extensions>
    <vault>
        <vault-option name="KEYSTORE_URL" value="/jboss_home/bin/vault.keystore"/>
        <vault-option name="KEYSTORE_PASSWORD" value="MASK-5WNXs8oEbrs"/>
        <vault-option name="KEYSTORE_ALIAS" value="vault"/>
        <vault-option name="SALT" value="12345678"/>
        <vault-option name="ITERATION_COUNT" value="50"/>
        <vault-option name="ENC_FILE_DIR" value="/jboss_home/bin/"/>
    </vault>
    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <server-identities>
                        <secret value="${VAULT::password::remote::1}"/>
                </server-identities>
                <authentication>

Notes:
Make sure to encrypt the plaintext value and not encrypt the Base64 encoded value that is generated after creating the access user, else it won't work.

Please remember, that in domain mode once there is an update done to the vault keystore, make sure same is copy-pasted across the domain.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments