In this tutorial we will learn how to encrypt the Datasource password in WildFly Datasource.

Step 1: Generate the Hashed password

In order to do that, we can use a class named SecureIdentityLoginModule which is part of the PickteBox libraries. Launch the class name passing as parameter the text to encrypt as shown in the

following example:

$ cd $JBOSS_HOME/modules/system/layers/base/org/picketbox/main
$ java -classpath picketbox-5.0.3.Final.jar org.picketbox.datasource.security.SecureIdentityLoginModule postgres
Encoded password: 1d5bcec446b79907df8592078de921bc

Now take note of the above encoded password.

Step 2: Create the Security Domain

Now create a security-domain in your security subsystem and name it "ds-encrypted". This security domain will be based on the SecureIdentityLoginModule which takes as input the username, the encrypted password and some options such as the Database pool name (as part of the managedConnectionFactoryName). The following CLI set of commands will create the ds-encrypted security domain:

/subsystem=security/security-domain=ds-encrypted:add(cache-type="default")
/subsystem=security/security-domain=ds-encrypted/authentication="classic":add()
/subsystem=security/security-domain=ds-encrypted/authentication="classic"/login-module="org.picketbox.datasource.security.SecureIdentityLoginModule":add(code="org.picketbox.datasource.security.SecureIdentityLoginModule",flag="required",module-
options={"username" => "postgres","password" =>"1d5bcec446b79907df8592078de921bc","managedConnectionFactoryName" =>"jboss.jca:service=LocalTxCM,name=java:/PostGreDS"})

The resulting XML (which can be directly included as well in your server configuration, provided that performed a server shutdown before that):

<security-domain name="ds-encrypted" cache-type="default">
    <authentication>
        <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
            <module-option name="username" value="postgres"/>
            <module-option name="password" value="1d5bcec446b79907df8592078de921bc"/>
            <module-option name="managedConnectionFactoryName"
        value="jboss.jca:service=LocalTxCM,name=java:/PostGreDS"/>
    </login-module>
    </authentication>
</security-domain>

Step 3: Let your datasource use the Security Domain:

Now it’s time to update your datasource configuration, to use the ds-encrypted security-domain. To do that, you need to undefine at first the username and password attributes which are incompatible with the security-domain setting:

batch
/subsystem=datasources/data-source=PostgrePool:undefine-attribute(name=user-name)
/subsystem=datasources/data-source=PostgrePool:undefine-attribute(name=password)
/subsystem=datasources/data-source=PostgrePool:write-attribute(name=security-domain,value=ds-encrypted)
run-batch

Here is the resulting datasource configuration:

<datasource jndi-name="java:/PostGreDS2" pool-name="PostgrePool2">
    <connection-url>jdbc:postgresql://172.17.0.2/postgres</connection-url>
    <driver>postgres</driver>
    <security>
    <security-domain>ds-encrypted</security-domain>
    </security>
</datasource>

You should reload your configuration in order to see the above changes reflected. Next, you can verify from the Administration Console or the CLI if your connection pool is able to connect to the database. Example:

/subsystem=datasources/data-source=PostgrePool:test-connection-in-pool
{
"outcome" => "success",
"result" => [true]
}

Example taken from WildFly Administration Guide: encrypt wildfly datasource password

0
0
0
s2sdefault