Secure credential store

The following explanations refer to the Elytron subsystem [Red Hat Elytron], which is used by both application servers (JBoss and WildFly) in their versions supported by ImageMaster. In this scenario it is assumed that the application server is already running.

Setup with the command line interface

To set up a credential store, follow the steps below in the command line interface (CLI)1 The given instructions are based on the sources for WildFly [MTB Elytron in WildFly]., where you need to adjust parameter values like the connection host and port in the initial step. The goal in the example is to avoid a clear text password for a database connection.

1. Connect to the running server instance via CLI:

   ./jboss-cli.sh --connect controller=localhost:10148

2. Execute these commands within the CLI:

   • Create the credential store:

     /subsystem=elytron/credential-store=my_store:add(location="credentials/csstore.jceks", relative-to=jboss.server.data.dir, credential-reference={clear-text=mypassword},create=true)

     In the example above the following parameters are used:

     • my_store: name that is later used in standalone.xml to reference this store

     • “credentials/csstore.jceks”: directory location with name of the store file

       (interpreted as a relative path to the application server “data” directory)

     • mypassword: a clear text password to protect the store

   • Add an alias (database-pw) into the credential store to reference the password (“secret_DB_pwd”) of the database user:

     /subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="secret_DB_pwd")

To activate the usage of this alias for an existing datasource:

1. Side note – how to shut down the application server, e.g. via:

   ./jboss-cli.sh --connect command=:shutdown controller=localhost:10048

2. In standalone.xml

   replace the former security section of the existing datasource, which contains a clear text password

   OLD:

   <security>
     <user-name>my-db-username</user-name>
     <password>secret_DB_pwd</password>
   </security>

   by this section, which contains the password alias instead

   NEW:

   <security>
     <user-name>my-db-username</user-name>
     <credential-reference store="my_store" alias="database-pw"/>
   </security>

3. Start the application server again, e.g. via (./standalone.sh)

Related sources and alternative setup

For related sources see:

• [MTB Elytron in WildFly]: How to set up a credential store with a password alias in WildFly.

• [Red Hat JBoss Secure Credentials]: How to set up a credential store with a password alias in JBoss.

The dedicated sources above also mention a method to create the credential store when the server is not running. This approach is based on the “elytron-tool” – a script provided for Linux-based system (.sh) and for Windows (.bat).