Initializing help system before first use

Obfuscating the Credential Store Password

The password used for the credential store can be obfuscated in various ways. For more, see the Red Hat web site.

Using PBE

For example, the password can be masked using Password Based Encryption with the Elytron tool. Open a Command Prompt on the machine hosting the Xpress Insight Server and enter this command, where x.y.z represents the Wildfly version, subversion, and patch numbers:

Windows 

<INSIGHT_HOME>/server/wildfly-x.y.z/bin/elytron-tool.bat mask --salt 12345678 --iteration 200 --secret store-password

Linux 

<INSIGHT_HOME>/server/wildfly-x.y.z/bin/elytron-tool.sh mask --salt 12345678 --iteration 200 --secret store-password
Then amend the credential store password in standalone.xml file: 
<credential-store name="store-name" ...>
  <!-- Replace this: <credential-reference clear-text="store-password"/> 
  With: -->					
  <credential-reference clear-text="[MASK-abc;12345678;200]"/>
</credential-store>

Using the Password Vault

For more, see the Red Hat website.

  1. You require a new folder to store the vault in a location on the server, such as <INSIGHT_HOME>/server/wildfly-x.y.z/vault—The remaining instructions reference to this new location as [vault_location].
  2. Create the keystore. Open a Command Prompt on the machine hosting the Xpress Insight Server and type: 
    keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass changeme -keypass changeme -validity 730 -keystore [vault_location]/vault.keystore
    Note Ensure storepass and keypass have the same value.
  3. Navigate to the Wildfly bin/ directory, and initialize the vault using the following commands:

    Windows 

    cd <INSIGHT_HOME>/server/wildfly-x.y.z/bin
    ./vault.bat --keystore [vault_location]/vault.keystore --keystore-password changeme --alias vault --vault-block block1 --attribute cs-password --sec-attr the-secret-store-password --enc-dir [vault_location]/ --iteration 120 --salt somesalt

    Linux 

    cd <INSIGHT_HOME>/server/wildfly-x.y.z/bin
    ./vault.sh --keystore [vault_location]/vault.keystore --keystore-password changeme --alias vault --vault-block block1 --attribute cs-password --sec-attr the-secret-store-password --enc-dir [vault_location]/ --iteration 120 --salt somesalt
    Tip Alternatively, execute the vault.bat or vault.sh files and select 0 for an interactive session, then provide each argument when prompted.
    Important Make a note of the output of this step—it contains information required for the final step.
  4. In the standalone.xml file, below the <system-properties> block (where the masked password is output as a result of the previous command), add the following code: 
    <vault>
        <vault-option name="KEYSTORE_URL" value="[vault_location]/vault.keystore"/>
        <vault-option name="KEYSTORE_PASSWORD" value="MASK-abc"/>
        <vault-option name="KEYSTORE_ALIAS" value="vault"/>
        <vault-option name="SALT" value="somesalt"/>
        <vault-option name="ITERATION_COUNT" value="120"/>
        <vault-option name="ENC_FILE_DIR" value="[vault_location]"/>
    </vault>
  5. Finally, replace the plaintext password with the vault expression (using the output from the step 3): 
    <credential-store name="store-name" ...>
  <credential-reference clear-text="${VAULT::block1::cs-password::1}"/>
</credential-store>
Parent Topic Using the Credential Store to Store Passwords