JBoss AS7 Clustering Using mod_cluster and http 2.4 (Part 3)

This final post in my blog series explains how to set up a data source in JBoss, and how to secure the password in the data source using PicketBox Vault. As previously, this article uses a tagged release of JBoss that does not have a binary release available.  The tagged release is JBoss 7.1.3.Final.  The latest binary release of JBoss available for download is JBoss 7.1.1.Final. 

PicketBox is a JBoss project focused on providing a Java Security Framework.  This framework provides developers the support for Authentication, Authorization, Audit, and Security Mapping.  We are using a feature of PicketBox called the Vault to secure our data source login password.

First, setup the Vault by creating a Java KeyStore.  Create a folder under JBoss called vault, then create the KeyStore in that folder:

$ mkdir vault
$ cd vault
$ keytool -genkey -keyalg RSA -keysize 1024  -keystore jboss-vault.keystore -alias jboss-vault
Enter keystore password:  jboss-vault
Re-enter new password: jboss-vault
What is your first and last name?
  [Unknown]:  JBoss Vault
What is the name of your organizational unit?
  [Unknown]:  vault
What is the name of your organization?
  [Unknown]:  jboss
What is the name of your City or Locality?
  [Unknown]:  somewhere
What is the name of your State or Province?
  [Unknown]:  somewhere
What is the two-letter country code for this unit?
  [Unknown]:  us
Is CN=JBoss Vault, OU=vault, O=jboss, L=somewhere, ST=somewhere, C=us correct?
  [no]:  yes

Enter key password for 
	(RETURN if same as keystore password):

Make sure to remember your keystore alias, and the password.  In this case I make the alias and the password both jboss-vault.  Obviously, you would not have them be the same in a real world environment.  JBoss comes with a PicketBox Vault script for adding a password to the vault.  In JBoss's bin directory, there will be a script called vault.sh.  Use this script to store a password in the vault.

$ ./vault.sh 
=========================================================================

  JBoss Vault

  JBOSS_HOME: /Users/eschley/Development/tools/jboss-as-7.1.3.Final

  JAVA: java

  VAULT Classpath: /Users/eschley/Development/tools/jboss-as-7.1.3.Final/modules/org/picketbox/main/*:/Users/eschley/Development/tools/jboss-as-7.1.3.Final/modules/org/jboss/logging/main/*:/Users/eschley/Development/tools/jboss-as-7.1.3.Final/modules/org/jboss/common-core/main/*:/Users/eschley/Development/tools/jboss-as-7.1.3.Final/modules/org/jboss/as/security/main/*
=========================================================================

**********************************
****  JBoss Vault ********
**********************************
Please enter a Digit::   0: Start Interactive Session  1: Remove Interactive Session  2: Exit
0
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/Users/eschley/Development/tools/jboss-as-7.1.3.Final/vault 
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/Users/eschley/Development/tools/jboss-as-7.1.3.Final/vault/
Enter Keystore URL:/Users/eschley/Development/tools/jboss-as-7.1.3.Final/vault/jboss-vault.keystore
Enter Keystore password: 
Enter Keystore password again: 
Values match
Enter 8 character salt:asdfasdf
Enter iteration count as a number (Eg: 44):40
                
Please make note of the following:
********************************************
Masked Password:MASK-3dDdL63rCCSHbq5j3rbPl6
salt:asdfasdf
Iteration Count:40
********************************************
                
Enter Keystore Alias:jboss-vault
Obtained Vault
Initializing Vault
Feb 7, 2013 2:54:08 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
0
Task:  Store a password
Please enter attribute value: test123
Please enter attribute value again: test123
Values match
Enter Vault Block:hsqldb_ds
Enter Attribute Name:password
Attribute Value for (hsqldb_ds, password) saved
                
Please make note of the following:
********************************************
Vault Block:hsqldb_ds
Attribute Name:password
Shared Key:NzU4YWNmYzEtZTI5NC00NjVjLTk4ODYtNjE3MjFlN2NlNDIzTElORV9CUkVBS2pib3NzLXZhdWx0

Configuration should be done as follows:
VAULT::hsqldb_ds::password::NzU4YWNmYzEtZTI5NC00NjVjLTk4ODYtNjE3MjFlN2NlNDIzTElORV9CUkVBS2pib3NzLXZhdWx0

********************************************
                
Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
2

Pay very close attention to the final string that the vault script printed; we will use that as our password when we define the data source.

Configuration should be done as follows:
VAULT::hsqldb_ds::password::NzU4YWNmYzEtZTI5NC00NjVjLTk4ODYtNjE3MjFlN2NlNDIzTElORV9CUkVBS2pib3NzLXZhdWx0

Now, set up the data source.  You can set up a data source in two locations in JBoss 7.1.3.Final.  Depending on which way JBoss is running, either set up the data source in standalone.xml or domain.xml. If you are running standalone, you can also deploy it as a –ds.xml file into your deploy directory. Since we are using domain, we will configure it in the domain.xml.  Before we can do that though, we need to get the correct JDBC driver.  I chose to use a hypersonic database because it is a simple standalone database that is easily set up, but this technique should work for any database.  The JDBC driver can be found at http://hsqldb.org/.

Next, put the JDBC driver (hsqldb.jar) in the correct location.  To do this in JBoss AS7, create it as a module by creating the folder structure for the module, and creating a module.xml file.

$ cd ~/Development/tools/jboss-as-7.1.3.Final/modules/org
$ mkdir hsqldb
$ mkdir main
$ cd hsqldb/main
$ cp ~/hsqldb.jar ./hsqldb-2.2.9.jar

Create module.xml file in the modules/org/hsqldb/main folder:

<module xmlns="urn:jboss:module:1.0" name="org.hsqldb">

  <resources>

    <resource-root path="hsqldb-2.2.9.jar"/>

  </resources>

  <dependencies>

    <module name="javax.api"/>

    <module name="javax.transaction.api"/>

  </dependencies>

</module>

Once that is done, define the driver and create the data source in the domain.xml file located in the <JBOSS_HOME>/domain/configuration folder.  Within the domain.xml file, find the drivers section and add to it a driver named hsqldb.

<drivers>

  <driver name="hsqldb" module="org.hsqldb"/>

…

</drivers>

Find the datasources section and add the following. 

    <datasource

        jndi-name="java:jboss/datasources/sampledb"

        pool-name="sampledb"

        enabled="true"

        use-java-context="true" pool-name="sampledb">

        <connection-url>jdbc:hsqldb:hsql://10.0.1.50:9001</connection-url>

        <driver>hsqldb</driver>

        <pool></pool>

        <security>

            <user-name>sampleuser</user-name>            <password>${VAULT::hsqldb_ds::password::NzU4YWNmYzEtZTI5NC00NjVjLTk4ODYtNjE3MjFlN2NlNDIzTElORV9CUkVBS2pib3NzLXZhdWx0}</password>

        </security>

    </datasource>

Take note of what the password is in the data source.  Use the string from earlier wrapped in ${ }.  PicketBox Vault will recognize that and replace it with the actual password.  This way there is no need to have a plaintext password residing in human readable file on your server.

Now your data source should be ready to go and is secure.

 

---

 

Reference:

Part 1: JBoss AS7 Clustering Using mod_cluster and http 2.4 (Part 1)

Part 2: JBoss AS7 Clustering Using mod_cluster and http 2.4 (Part 2)

 

*JBoss Enterprise Edition is a registered trademark of Red Hat. OpenLogic is not affiliated with Red Hat. OpenLogic works with the JBoss Community Edition.

Follow @openlogic
Follow @OSCloudServices

This work is licensed under a Creative Commons Attribution 3.0 Unported License
.