Google Site Search

Google
 

Tuesday, November 20, 2007

Tip 12: Encrypt Datastore Passwords in JBoss JCA

JBoss JCA Encrypt DataStore Password

This wiki gives you the instruction to encrypt the data store password. Please also have a look at http://wiki.jboss.org/wiki/Wiki.jsp?page=EncryptKeystorePasswordInTomcatConnector
for subtle details on PBE (Password Based Encryption) mainly the details on password, salt and IterationCount.

Caveats:
1. Note the Password Based Encryption deals with a tuple (password, salt, iterationcount). So ensure that you use the same salt and iteration count that you used during the opaque password generation in your MBean with JaasSecurityDomain.

Here is an example:
java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils welcometopbe 15 somepassword server.password
Encoded password: E5rtGMKcXPP


Note the encoded password is my own cooked up (so it may not be the result of your command execution).

Now, this is how you configure your MBeans.

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
<constructor>
<arg type="java.lang.String" value="ServerMasterPassword"/>
</constructor>
<attribute name="KeyStorePass">
{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
<attribute name="Salt">welcometopbe</attribute>
<attribute name="IterationCount">15</attribute>
</mbean>

As you see the salt and interation count in the MBean definition
is exactly the same used in the Password generation.

If you see this error in your log, it means that you are using a
different salt/iterationcount than the one you used during
password generation. Also verify that your DS depends on the MBean defining the JaasSecurityDomain.
java.security.InvalidAlgorithmParameterException:
Parameters missing


2. If JBoss cannot find the password file, then you will see an error such as:
ERROR [org.jboss.security.plugins.FilePassword] Failed to decode password file

Here is an example of a postgres-ds.xml that encrypts the DS password.


<?xml version="1.0" encoding="UTF-8"?>

<!-- ===================================================================== -->
<!-- -->
<!-- JBoss Server Configuration -->
<!-- -->
<!-- ===================================================================== -->

<!-- ==================================================================== -->
<!-- Datasource config for Postgres -->
<!-- ==================================================================== -->


<datasources>
<local-tx-datasource>
<jndi-name>DefaultDS</jndi-name>
<connection-url>jdbc:postgresql://localhost:5432/teste</connection-url>
<driver-class>org.postgresql.Driver</driver-class>

<security-domain>EncryptedHsqlDbRealm</security-domain>
<metadata>
<type-mapping>PostgreSQL 8.0</type-mapping>
</metadata>
<depends>jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</depends>
</local-tx-datasource>

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
<constructor>
<arg type="java.lang.String" value="ServerMasterPassword"/>
</constructor>
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
<attribute name="Salt">12345678</attribute>
<attribute name="IterationCount">17</attribute>
</mbean>
</datasources>

2 comments:

Prometheus said...

I've been trying to encrypt my datasource passwords by following your example, but I keep getting this error:

Invalid authentication attempt, principal=null

I noticed that your example does not specify the location of a keystore. Why is this? Is there a default keystore somewhere? I've been assuming I need to create a keystore first. For example, I create a keystore using this command:

keytool -genkey -alias businesscenter -keyalg RSA -keysize 1024 -keystore bc-keystore.jks

I then copy keystore.jks to my conf directory. I then specify the location of the keystore in my mbean declaration:

<attribute name="KeyStoreURL">resource:bc-keystore.jks</attribute>

Other than that, I pretty much follow your example. But no matter what I do, I continue to get the same error (which is not very helpful.) I've been struggling with this for a few days and have run out of ideas. Anything you could offer to shed some light on this would be greatly appreciated.

Prometheus said...

Found the problem. JBoss is very picky about the seed that is used. I tried using "HallOfFameCafe" as a seed. PBEUtils generated an encypted password without any errors, but JBoss threw an exception "Invalid authentication attempt, principal=null
". But when I use an 8 letter seed using all lower case letters, everything works just fine in JBoss.

And I am assuming that the term "keystore" in this article must have been used in a very generic sense. I was confusing it with a java keystore that would be created with keytool.