How to encrypt WildFly Datasource password

In this tutorial we will learn how to protect sensitive data such as the Datasource password in WildFly. At first, we will learn the recommended approach, using Credential Stores. Then, for older WildFly installation, we will use PicketBox to encrypt the datasource password.

Securing the Datasource password with Credential Stores

In this example, we will show how to secure the password used to connect a PostgreSQL datasource. First of all, we will create an Elytron Credential Store. You can do that either using the elytron-tool.sh or with WildFly CLI. For example, using the CLI:

/subsystem=elytron/credential-store=my_store:add(location="credentials/csstore.jceks", relative-to=jboss.server.data.dir, credential-reference={clear-text=mypassword},create=true)

The above command will create a Credential Store in a filename csstore.jceks in the jboss.server.data.dir/credentials folder using a clear text password named “mypassword”.

To add entries into a credential store, you have to associate an alias to the sensitive string that you are wanting to store.

For example, to add a password with the alias database-pw to the store we have just created:

/subsystem=elytron/credential-store=my_store:add-alias(alias=database-pw, secret-value="postgres")

Next, check that the alias is available in the Credential Store:

/subsystem=elytron/credential-store=my_store:read-aliases
{
"outcome" => "success",
"result" => ["database-pw"]
}

Finally, create a datasource without specifying the “password” as datasource’s property. Instead, include a “credential-reference” that points to your alias:

data-source add --jndi-name=java:/PostGreDSSec --name=PostgrePoolSec --connection-url=jdbc:postgresql://localhost/postgres --driver-name=postgres --user-name=postgres --credential-reference={store=my_store, alias=database-pw}

Securing the Datasource password with PicketBox (deprecated)

In order to encrypt the Datasource password using PicketBox follow these steps:

Step 1: Generate the Hashed password

In order to do that, we can use a class named SecureIdentityLoginModule which is part of the PickteBox libraries. Launch the class name passing as parameter the text to encrypt as shown in the

following example:

$ cd $JBOSS_HOME/modules/system/layers/base/org/picketbox/main
$ java -classpath picketbox-5.0.3.Final.jar org.picketbox.datasource.security.SecureIdentityLoginModule postgres
Encoded password: 1d5bcec446b79907df8592078de921bc

Now take note of the above encoded password.

Step 2: Create the Security Domain

Now create a security-domain in your security subsystem and name it “ds-encrypted“. This security domain will be based on the SecureIdentityLoginModule which takes as input the username, the encrypted password and some options such as the Database pool name (as part of the managedConnectionFactoryName). The following CLI set of commands will create the ds-encrypted security domain:

/subsystem=security/security-domain=ds-encrypted:add(cache-type="default")
/subsystem=security/security-domain=ds-encrypted/authentication="classic":add()
/subsystem=security/security-domain=ds-encrypted/authentication="classic"/login-module="org.picketbox.datasource.security.SecureIdentityLoginModule":add(code="org.picketbox.datasource.security.SecureIdentityLoginModule",flag="required",module-
options={"username" => "postgres","password" =>"1d5bcec446b79907df8592078de921bc","managedConnectionFactoryName" =>"jboss.jca:service=LocalTxCM,name=java:/PostGreDS"})

The resulting XML (which can be directly included as well in your server configuration, provided that performed a server shutdown before that):

<security-domain name="ds-encrypted" cache-type="default">
    <authentication>
        <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
            <module-option name="username" value="postgres"/>
            <module-option name="password" value="1d5bcec446b79907df8592078de921bc"/>
            <module-option name="managedConnectionFactoryName"
        value="jboss.jca:service=LocalTxCM,name=java:/PostGreDS"/>
    </login-module>
    </authentication>
</security-domain>

Step 3: Let your datasource use the Security Domain:

Now it’s time to update your datasource configuration, to use the ds-encrypted security-domain. To do that, you need to undefine at first the username and password attributes which are incompatible with the security-domain setting:

batch
/subsystem=datasources/data-source=PostgrePool:undefine-attribute(name=user-name)
/subsystem=datasources/data-source=PostgrePool:undefine-attribute(name=password)
/subsystem=datasources/data-source=PostgrePool:write-attribute(name=security-domain,value=ds-encrypted)
run-batch

Here is the resulting datasource configuration:

<datasource jndi-name="java:/PostGreDS2" pool-name="PostgrePool2">
    <connection-url>jdbc:postgresql://172.17.0.2/postgres</connection-url>
    <driver>postgres</driver>
    <security>
    <security-domain>ds-encrypted</security-domain>
    </security>
</datasource>

You should reload your configuration in order to see the above changes reflected. Next, you can verify from the Administration Console or the CLI if your connection pool is able to connect to the database. Example:

/subsystem=datasources/data-source=PostgrePool:test-connection-in-pool
{
"outcome" => "success",
"result" => [true]
}

Example taken from WildFly Administration Guide: encrypt wildfly datasource password

Found the article helpful? if so please follow us on Socials