Obfuscating the Credential Store Password
Using PBE
For example, the password can be masked using Password Based Encryption with the Elytron tool. Open a Command Prompt on the machine hosting the Xpress Insight Server and enter this command, where x.y.z represents the Wildfly version, subversion, and patch numbers:Windows
<INSIGHT_HOME>/server/wildfly-x.y.z/bin/elytron-tool.bat mask --salt 12345678 --iteration 200 --secret store-password
Linux
<INSIGHT_HOME>/server/wildfly-x.y.z/bin/elytron-tool.sh mask --salt 12345678 --iteration 200 --secret store-passwordThen amend the credential store password in standalone.xml file:
<credential-store name="store-name" ...> <!-- Replace this: <credential-reference clear-text="store-password"/> With: --> <credential-reference clear-text="[MASK-abc;12345678;200]"/> </credential-store>
Using the Password Vault
- You require a new folder to store the vault in a location on the server, such as <INSIGHT_HOME>/server/wildfly-x.y.z/vault—The remaining instructions reference to this new location as [vault_location].
- Create the keystore. Open a Command Prompt on the machine hosting the Xpress Insight Server and type:
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass changeme -keypass changeme -validity 730 -keystore [vault_location]/vault.keystore
Note Ensure storepass and keypass have the same value. - Navigate to the Wildfly bin/ directory, and initialize the vault using the following commands:
Windows
cd <INSIGHT_HOME>/server/wildfly-x.y.z/bin
./vault.bat --keystore [vault_location]/vault.keystore --keystore-password changeme --alias vault --vault-block block1 --attribute cs-password --sec-attr the-secret-store-password --enc-dir [vault_location]/ --iteration 120 --salt somesalt
Linux
cd <INSIGHT_HOME>/server/wildfly-x.y.z/bin
./vault.sh --keystore [vault_location]/vault.keystore --keystore-password changeme --alias vault --vault-block block1 --attribute cs-password --sec-attr the-secret-store-password --enc-dir [vault_location]/ --iteration 120 --salt somesalt
Tip Alternatively, execute the vault.bat or vault.sh files and select 0 for an interactive session, then provide each argument when prompted.
Important Make a note of the output of this step—it contains information required for the final step. - In the standalone.xml file, below the <system-properties> block (where the masked password is output as a result of the previous command), add the following code:
<vault> <vault-option name="KEYSTORE_URL" value="[vault_location]/vault.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-abc"/> <vault-option name="KEYSTORE_ALIAS" value="vault"/> <vault-option name="SALT" value="somesalt"/> <vault-option name="ITERATION_COUNT" value="120"/> <vault-option name="ENC_FILE_DIR" value="[vault_location]"/> </vault> - Finally, replace the plaintext password with the vault expression (using the output from the step 3):
<credential-store name="store-name" ...> <credential-reference clear-text="${VAULT::block1::cs-password::1}"/> </credential-store>
© 2001-2020 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.