环境:JBoss EAP 6.4.0
之前写过一个给数据库口令加密的文章《JBoss_014:加密数据源口令(EAP 6.3.0) 》,不过那个是使用对称加密算法计算的,相同的口令加密后,密文是一样的,容易破解。
本文介绍基于公钥和私钥加密口令的方式。
1. 在[USER_HOME]目录下生成 keystore
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass password -keypass password -validity 730 -keystore vault.keystore
注意,这里只能使用 JCEKS 类型的keystore,否则会报错:PBOX000137: Security Vault does not contain SecretKey entry under alias (vault)
经查,这是EAP 6.4.0的一个BUG。
所以目前还不能使用如下的方式创建keystore:
keytool -genkey -alias vault -keyalg RSA -keysize 1024 -keystore derbydbVault.keystore
2. 在[EAP_HOME]/bin目录下运行 ./vault.sh
=========================================================================
JBoss Vault
JBOSS_HOME: /Users/maping/Redhat/eap/demo/jboss-eap-6.4
JAVA: /Library/Java/JavaVirtualMachines/jdk1.7.0_80.jdk/Contents/Home/bin/java
=========================================================================
**********************************
**** JBoss Vault ***************
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files: /Users/maping
Enter Keystore URL:/Users/maping/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):50
Enter Keystore Alias:vault
Initializing Vault
八月 05, 2015 6:52:09 下午 org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in configuration file:
********************************************
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/Users/maping/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-31x/z0Xn83H4JaL0h5eK/N"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="/Users/maping/"/>
</vault><management> ...
********************************************
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit
0
Task: Store a secured attribute
Please enter secured attribute value (such as password):
Please enter secured attribute value (such as password) again:
Values match
Enter Vault Block:DerbyDB
Enter Attribute Name:password
Secured attribute value has been stored in vault.
Please make note of the following:
********************************************
Vault Block:DerbyDB
Attribute Name:password
Configuration should be done as follows:
VAULT::DerbyDB::password::1
********************************************
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit
3
3. 在standalone.xml中,在</extensions>和<management>之间增加如下内容:
<vault>
<vault-option name="KEYSTORE_URL" value="/Users/maping/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-31x/z0Xn83H4JaL0h5eK/N"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="/Users/maping/"/>
</vault>
5. 在standalone.xml中,找到datasource部分找到password部分,内容替换如下:
<password>${VAULT::DerbyDB::password::1}</password>
6. 重启 EAP Server
确认数据库依然可以连接成功。
参考文献:
1. https://access.redhat.com/solutions/1439623
2. https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-6.4/red-hat-jboss-enterprise-application-platform-64-how-to-configure-server-security#password_vault
之前写过一个给数据库口令加密的文章《JBoss_014:加密数据源口令(EAP 6.3.0) 》,不过那个是使用对称加密算法计算的,相同的口令加密后,密文是一样的,容易破解。
本文介绍基于公钥和私钥加密口令的方式。
1. 在[USER_HOME]目录下生成 keystore
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass password -keypass password -validity 730 -keystore vault.keystore
注意,这里只能使用 JCEKS 类型的keystore,否则会报错:PBOX000137: Security Vault does not contain SecretKey entry under alias (vault)
经查,这是EAP 6.4.0的一个BUG。
所以目前还不能使用如下的方式创建keystore:
keytool -genkey -alias vault -keyalg RSA -keysize 1024 -keystore derbydbVault.keystore
2. 在[EAP_HOME]/bin目录下运行 ./vault.sh
=========================================================================
JBoss Vault
JBOSS_HOME: /Users/maping/Redhat/eap/demo/jboss-eap-6.4
JAVA: /Library/Java/JavaVirtualMachines/jdk1.7.0_80.jdk/Contents/Home/bin/java
=========================================================================
**********************************
**** JBoss Vault ***************
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files: /Users/maping
Enter Keystore URL:/Users/maping/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):50
Enter Keystore Alias:vault
Initializing Vault
八月 05, 2015 6:52:09 下午 org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in configuration file:
********************************************
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/Users/maping/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-31x/z0Xn83H4JaL0h5eK/N"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="/Users/maping/"/>
</vault><management> ...
********************************************
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit
0
Task: Store a secured attribute
Please enter secured attribute value (such as password):
Please enter secured attribute value (such as password) again:
Values match
Enter Vault Block:DerbyDB
Enter Attribute Name:password
Secured attribute value has been stored in vault.
Please make note of the following:
********************************************
Vault Block:DerbyDB
Attribute Name:password
Configuration should be done as follows:
VAULT::DerbyDB::password::1
********************************************
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit
3
3. 在standalone.xml中,在</extensions>和<management>之间增加如下内容:
<vault>
<vault-option name="KEYSTORE_URL" value="/Users/maping/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-31x/z0Xn83H4JaL0h5eK/N"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="/Users/maping/"/>
</vault>
5. 在standalone.xml中,找到datasource部分找到password部分,内容替换如下:
<password>${VAULT::DerbyDB::password::1}</password>
6. 重启 EAP Server
确认数据库依然可以连接成功。
参考文献:
1. https://access.redhat.com/solutions/1439623
2. https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-6.4/red-hat-jboss-enterprise-application-platform-64-how-to-configure-server-security#password_vault
没有评论:
发表评论