Obfuscating the Credential Store Password

The password used for the credential store can be obfuscated in various ways. For more, see https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/how_to_configure_server_security/securely_storing_credentials#obtain_the_master_password_for_the_credential_store_from_an_external_source.

Using PBE

For example, the password can be masked using Password Based Encryption with the Elytron tool. Open a Command Prompt on the machine hosting the Xpress Insight Server and enter this command:

Windows 

<INSIGHT_HOME>/server/wildfly-15.0.1.Final/bin/elytron-tool.bat mask --salt 12345678 --iteration 200 --secret store-password

Linux 

<INSIGHT_HOME>/server/wildfly-15.0.1.Final/bin/elytron-tool.sh mask --salt 12345678 --iteration 200 --secret store-password
Then amend the credential store password in standalone.xml file: 
<credential-store name="store-name" ...>
  <!-- Replace this: <credential-reference clear-text="store-password"/> 
  With: -->					
  <credential-reference clear-text="[MASK-abc;12345678;200]"/>
</credential-store>

Using the Password Vault

For more, see https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/how_to_configure_server_security/securely_storing_credentials#password_vault

  1. You require a new folder to store the vault in a location on the server, such as <INSIGHT_HOME>/server/wildfly-15.0.1.Final/vault—The remaining instructions reference to this new location as [vault_location].
  2. Create the keystore. Open a Command Prompt on the machine hosting the Xpress Insight Server and type: 
    keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass changeme -keypass changeme -validity 730 -keystore [vault_location]/vault.keystore
    Note Ensure storepass and keypass have the same value.
  3. Navigate to the Wildfly bin/ directory, and initialize the vault using the following commands:

    Windows 

    cd <INSIGHT_HOME>/server/wildfly-15.0.1.Final/bin
    ./vault.bat --keystore [vault_location]/vault.keystore --keystore-password changeme --alias vault --vault-block block1 --attribute cs-password --sec-attr the-secret-store-password --enc-dir [vault_location]/ --iteration 120 --salt somesalt

    Linux 

    cd <INSIGHT_HOME>/server/wildfly-15.0.1.Final/bin
    ./vault.sh --keystore [vault_location]/vault.keystore --keystore-password changeme --alias vault --vault-block block1 --attribute cs-password --sec-attr the-secret-store-password --enc-dir [vault_location]/ --iteration 120 --salt somesalt
    Tip Alternatively, execute the vault.bat or vault.sh files and select 0 for an interactive session, then provide each argument when prompted.
    Important Make a note of the output of this step—it contains information required for the final step.
  4. In the standalone.xml file, below the <system-properties> block (where the masked password is output as a result of the previous command), add the following code: 
    <vault>
        <vault-option name="KEYSTORE_URL" value="[vault_location]/vault.keystore"/>
        <vault-option name="KEYSTORE_PASSWORD" value="MASK-abc"/>
        <vault-option name="KEYSTORE_ALIAS" value="vault"/>
        <vault-option name="SALT" value="somesalt"/>
        <vault-option name="ITERATION_COUNT" value="120"/>
        <vault-option name="ENC_FILE_DIR" value="[vault_location]"/>
    </vault>
  5. Finally, replace the plaintext password with the vault expression (using the output from the step 3): 
    <credential-store name="store-name" ...>
  <credential-reference clear-text="${VAULT::block1::cs-password::1}"/>
</credential-store>
Parent Topic Using the Credential Store to Store Passwords