Wednesday, March 28, 2012

How to encrypt database passwords using SecureIdentityLoginModule

1. Encrypt password

For JBoss EAP 4.3, using the script below below:
        
JBOSSHOME=/apps/jboss-epp-5.1/jboss-as
PROFILE=production
echo "Please enter the password to be encrypted"
read password
java -cp $JBOSSHOME/lib/jboss-common.jar:$JBOSSHOME/lib/jboss-jmx.jar:$JBOSSHOME/server/$PROFILE/lib/jbosssx.jar:$JBOSSHOME/server/$PROFILE/lib/jboss-jca.jar org.jboss.resource.security.SecureIdentityLoginModule $password
For JBoss EAP 5.1, using the script below below: 
        
JBOSSHOME=/apps/jboss-epp-5.1/jboss-as
PROFILE=production
echo "Please enter the password to be encrypted"
read password
java -cp $JBOSSHOME/client/jboss-logging-spi.jar:$JBOSSHOME/lib/jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule $password
2. Set the username and encrypted password (generated in the previous step) and the managedConnectionFactoryName for your datasource

<policy>
    <!-- Example usage of the SecureIdentityLoginModule -->
    <application-policy name="EncryptDBPassword">
        <authentication>
            <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
                <module-option name="username">admin</module-option>
                <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option>
                <!-- Use this managedConnectionFactoryName for non-XA datasource -->
                <module-option name="managedConnectionFactoryName">jboss.jca:name=PostgresDS,service=LocalTxCM</module-option>                <!-- Use this managedConnectionFactoryName for XA datasource --> 

                <!-- <module-option name="managedConnectionFactoryName">jboss.jca:name=PostgresDS,service=XATxCM</module-option> --&gt; 

            </login-module>
        </authentication>
    </application-policy>
</policy>

3. Edit  your datasource, removing the username and password properties and  adding the security-domain you created in the previous step










<?xml version="1.0" encoding="UTF-8"?>
<datasources>
    <local-tx-datasource>
        <jndi-name>PostgresDS</jndi-name>
        <connection-url>jdbc:postgresql://127.0.0.1:5432/test?protocolVersion=2</connection-url>
        <driver-class>org.postgresql.Driver</driver-class>
        <min-pool-size>1</min-pool-size>
        <max-pool-size>20</max-pool-size>
        <security-domain>EncryptDBPassword</security-domain>
        <metadata>
            <type-mapping>PostgreSQL 8.0</type-mapping>
        </metadata>
    </local-tx-datasource>
</datasources>






4. The login-config.xml entry for the EncryptDBPassword would look like:




<policy>
    <!-- Example usage of the SecureIdentityLoginModule -->
    <application-policy name="EncryptDBPassword">
        <authentication>
            <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
                <module-option name="username">admin</module-option>
                <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option>
                <module-option name="managedConnectionFactoryName">jboss.jca:name=PostgresDS,service=LocalTxCM</module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>






Reference to https://community.jboss.org/wiki/EncryptingDataSourcePasswords









Posted by



at





No comments:
  












Labels:













        

      









Subscribe to:
Posts (Atom)