In WildFly 11 and later, the elytron subsystem allows using credential stores as secure storage for your credentials. Using a credential store is a replacement of the standard password vault mechanism to store passwords and other sensitive strings. Credential stores allow for easier credential management within WildFly, without having to use an external tool. It is however still possible to use an external script named to manage enterely from the shell the storage of your passwords.

The default credential store implementation uses a Java Cryptography Extension (JCEKS) keystore file to store credentials. When creating a new credential store, the default implementation also allows you to reference an existing keystore file or have WildFly automatically create one for you. Currently, the default implementation only allows you to store clear text passwords.

Example: Securing your Datasource password

In this example, we will show how to secure the password used to connect a sample MySql datasource. First of all, we will start a MySql instance, for the sake of simplicity we will just start it with Docker:

$ docker run -d --name mysql -e MYSQL_USER=mysql -e MYSQL_PASSWORD=secret -e MYSQL_DATABASE=demodb -e MYSQL_ROOT_PASSWORD=s3cr3t mysql

Next, we will create a Credential Store. This can be done either using a shell script ( or enterely with WildFly CLI:

/subsystem=elytron/credential-store=my_store:add(location="credentials/csstore.jceks",,  credential-reference={clear-text=mypassword},create=true)

The above command has created a Credential Store named "csstore.jceks" in the "" using a clear text password named "mypassword".

Then, we will add an alias into the credential store to reference the password ("secret") of mysql user:

/subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="secret")

Let's check that our alias has been correctly included:

    "outcome" => "success",
    "result" => ["database-pw"]

Perfect. Now just create a datasource without specifying the "password" as datasource's property but rather include a "credential-reference" which points to your alias:

data-source add --name=mysqlDS --jndi-name=java:/MySQLDS --driver-name=mysql-connector-java-5.1.15.jar --connection-url=jdbc:mysql:// --user-name=mysql --credential-reference={store=my_store, alias=database-pw}

Finally, let's check that our connection with the Database is ok:

    "outcome" => "success",
    "result" => [true]

So we managed to replace correctly the password with a Credential Store reference.

Create and Modify Credential Stores Offline using WildFly Elytron Tool

As we have anticipated, we can use as well the WildFly Elytron tool, which which is available in JBOSS_HOME/bin/, to create and modify a credential store for an offline, or stopped, WildFly server.

Here is, for example, how to create a Credential store using the

$ credential-store --create --location "../credentials/csstore.jceks" --password mypassword

Once created, then you can start adding entries to your store:

$ credential-store --location "../credentials/csstore.jceks" --password mypassword --add database-pw --secret secret

That's all! enjoy using Credential Stores on WildFly!


Related articles available on

JBoss security framework

Security is a fundamental part of any enterprise application .The

Configure JBoss with LDAP

In this tutorial we will show how to connect JBoss AS 7 (and earl

Configuring Single Signon on JBoss AS 7

This tutorial describes how to configure Single Signon for a JBos

Securing AS 7 applications using the ApplicationRealm

JBoss AS 7 and the EAP 6 provide out of the box a Security Domain

Securing access to JBoss-WildFly Management console

In this tutorial we will demonstrate how to secure access to the

Configuring a MongoDB Login Module

Creating a Login Module with JBoss AS 7 or WildFly can be done by