Protecting Sensitive Information in Web Container (JBoss)

jboss Jan 19, 2021

It's everyone needs now to secure all sensitive details but it comes to web container we always think of storing things in configurations but aren't we exposing data base passwords by putting them in plain text in the configurations, this blog will introduce you with JBoss vault, where you can keep sensitive informations like passwords and you can access them in Web container life cycle.

How to setup a vault?

  • Create a directory "vault" in your home dir.
  • Setup Keystore using   JAVA_HOME/bin/keytool
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass password123 -keypass password123 -keystore /home/ec2-user/vault/vault.keystore
  • Setting a Jboss vault using  EAP_HOME/bin/vault.sh
  1. Enter 0  (0: Start Interactive Session)
  2. Enter directory to store encrypted files: /home/ec2-user/vault/
  3. Enter Keystore URL: /home/ec2-user/vault/vault.keystore
  4. Enter Keystore password: password123
  5. Enter 8 character salt: 12345678
  6. Enter iteration count as a number (e.g.: 44): 11
  7. Enter Keystore Alias: vault

Copy  below lines from console

WFLYSEC0048: Vault Configuration commands in WildFly for CLI:
********************************************
For standalone mode:
/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/ec2-user/vault/vault.keystore"),("KEYSTORE_PASSWORD" => "MASK-1jFQenP7oOE5MJsMh.4DeJ"),("KEYSTORE_ALIAS" => "vault"),("SALT" => "12345678"),("ITERATION_COUNT" => "11"),("ENC_FILE_DIR" => "/home/ec2-user/vault/")])
********************************************
For domain mode:
/host=the_host/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/ec2-user/vault/vault.keystore"),("KEYSTORE_PASSWORD" => "MASK-1jFQenP7oOE5MJsMh.4DeJ"),("KEYSTORE_ALIAS" => "vault"),("SALT" => "12345678"),("ITERATION_COUNT" => "11"),("ENC_FILE_DIR" => "/home/ec2-user/vault/")])
********************************************
WFLYSEC0057: Vault is initialized and ready for use

Chose  0 to add an attribute to vault

Please enter a Digit::  0: Store a secured attribute  1: Check whether a secured attribute exists  2: Remove secured attribute  3: Exit
  1. Please enter secured attribute value (such as password)   is the value of  the attribute   (Example SQL DB password 'password123!')
  2. Enter Vault Block as myapp
  3. Enter Attribute Name:db.password

Please note of following

Please make note of the following:
********************************************
Vault Block:myapp
Attribute Name:db.password
Configuration should be done as follows:
VAULT::myapp::db.password::1
********************************************
  1. VAULT::myapp::db.password::1  is the key for DB password, this key is provided by the client.

FOR LDAP(password:p@ssw0rd)

0

Task: Store a secured attribute
Please enter secured attribute value (such as password)
Please enter secured attribute value again
Values match
Enter Vault Block:myapp
Enter Attribute Name:ldap.password
WFLYSEC0047: Secured attribute value has been stored in Vault.

Please make note of the following:
********************************************
Vault Block:myapp
Attribute Name:ldap.password
Configuration should be done as follows:
VAULT::myapp::ldap.password::1
********************************************

Please enter a Digit::  0: Store a secured attribute  1: Check whether a secured attribute exists  2: Remove secured attribute  3: Exit

FOR SUPERUSER(password: tookitaki)

0

Task: Store a secured attribute
Please enter secured attribute value (such as password)
Please enter secured attribute value again
Values match
Enter Vault Block:myapp
Enter Attribute Name:superuser.password
WFLYSEC0047: Secured attribute value has been stored in Vault.

Please make note of the following:
********************************************
Vault Block:myapp
Attribute Name:superuser.password
Configuration should be done as follows:
VAULT::myapp::superuser.password::1
********************************************

Please enter a Digit::  0: Store a secured attribute  1: Check whether a secured attribute exists  2: Remove secured attribute  3: Exit

1

Task: Verify whether a secured attribute exists
Enter Vault Block:myapp
Enter Attribute Name:ldap.password
A value exists for [myapp::ldap.password]

Please enter a Digit::  0: Store a secured attribute  1: Check whether a secured attribute exists  2: Remove secured attribute  3: Exit

  1. Enter  3: ExitMake Sure Jboss is running then proceed below.

Adding above vault details to  EAP_HOME/standalone/configuration/standalone.xml

  1. Run EAP_HOME/bin/jboss-cli.sh --connect --controller=localhost:9990

Copy details from point 8   for standalone mode as shown below  and paste to above-opened console

/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/ec2-user/vault/vault.keystore"),("KEYSTORE_PASSWORD" => "MASK-1jFQenP7oOE5MJsMh.4DeJ"),("KEYSTORE_ALIAS" => "vault"),("SALT" => "12345678"),("ITERATION_COUNT" => "11"),("ENC_FILE_DIR" => "/home/ec2-user/vault/")])
  1. Above will add vault details to  EAP_HOME/standalone/configuration/standalone.xml
  2. Cross-check using cat standalone.xml | grep "vault"
  3. All done!
  4. To remove the vault configurations from jboss
    a. Run EAP_HOME/bin/jboss-cli.sh --connect --controller=localhost:9990
    b. /core-service=vault:remove

Note: The installation is done on EAP 7.1.1

Tags

Kshitij

Lead Engineer at Tookitaki