Security Features of JBoss AS 5.1 - Part 2 - Masking Passwords in the configuration files

Nobody likes the idea of seeing passwords in the open in an xml file.  In JBoss AS, we have various mechanisms by which passwords can be masked in the xml file. This article will act as a single stop reference to the various mechanisms.

In order to mask password attributes in the JBoss Microcontainer Bean definitions, see the following prototype

 https://jira.jboss.org/jira/browse/JBAS-6710

... which works for JBoss AS 5.1 onwards

Disclaimer:

With the use of passwords, no system is 100% secure. One mitigating approach in a password based system is "security by obfuscation". This is what we use in this method. We use a certificate and a secret key to mask the password for a particular security domain.

Steps to perform

First you need to create a keystore and generate a key (See additional information below for example). Remember the keystore location should match with the attribute configured in your JBossSecurityPasswordMaskManagement defined in deploy/security/security-jboss-beans.xml

You can use the command in the bin directory.                                              

1. Use the Password Tool (mentioned below).
2. Configure the @Password annotation on the MC beans that you are interested in masking the password. Example is provided below.

Password Tool

There is a command line tool that can be used for centralized password management.  The script is located in the bin directory. Remember that you can use the tool in the bin directory and the server configurations (default, all etc) can make use of the files that are generated by this tool.

=============================================

anil@localhost:~/jboss-6.0/jboss-head/build/output/jboss-6.0.0.Alpha1/bin$ ./password_tool.sh
**********************************
****  JBoss Password Tool********
**********************************
Error while trying to load data:Encrypted password file not located
Maybe it does not exist and need to be created.
0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  
3: Remove a domain 4:Enquire Domain 5:Exit

0
Enter Keystore password
testpass
Enter Salt (String should be at least 8 characters)
AnyStringThatIsLong
Enter Iterator Count (integer value)
111
Keystore Password encrypted into password/jboss_keystore_pass.dat

 

Loading domains [
]
0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  3: Remove a domain 
4:Enquire Domain 5:Exit
2
Enter security domain:
messaging
Enter passwd:
myPass
0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password  
3: Remove a domain 4:Enquire Domain 5:Exit
5
org.jboss.security.integration.password.PasswordTool$ShutdownHook run called
Storing domains [
messaging,
]

=====================================================================

 

Configure the MC Beans

You will need to add an annotation to the bean definition.  Lets take the example of JBoss Messaging SecurityStore MC Bean defined in deploy/messaging/messaging-jboss-beans.xml

Before your modification:

 <bean name="SecurityStore" 
class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
      <!-- default security configuration -->
      <property name="defaultSecurityConfig">
         <![CDATA[
            <security>
               <role name="guest" read="true" write="true" create="true"/>
            </security>
         ]]>
      </property>
      <property name="suckerPassword">CHANGE ME!!</property>
      <property name="securityDomain">messaging</property>
      <property name="securityManagement">
<inject bean="JNDIBasedSecurityManagement"/></property>
</bean>

After your modification:

 <bean name="SecurityStore"
 class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
      <!-- default security configuration -->
      <property name="defaultSecurityConfig">
         <![CDATA[
            <security>
               <role name="guest" read="true" write="true" create="true"/>
            </security>
         ]]>
      </property>
      <property name="securityDomain">messaging</property>
      <property name="securityManagement">
<inject bean="JNDIBasedSecurityManagement"/></property>
      <!-- Password Annotation to inject the password from the common password
        utility -->
      <annotation>@org.jboss.security.integration.password.Password(securityDomain=messaging,
methodName=setSuckerPassword)</annotation>    
   </bean>

As you can see, you have removed the attribute called as "suckerPassword"   and introduced an MC annotation called as @Password whose configuration includes the security domain as well the MC bean property where the password needs to be injected.

Additional Information

The keystore can be generated as follows:

Here we are running it in the bin directory of the JBoss AS installation.  The Keystore will be created in directory password. This will match with the deploy/security/security-jboss-beans.xml bean definition as stated above.

$ keytool -genkey -alias jboss -keyalg RSA -keysize 1024  -keystore password/password.keystore
Enter keystore password:  testpass
What is your first and last name?
  [Unknown]:  JBoss Security
What is the name of your organizational unit?
  [Unknown]:  JBoss Division
What is the name of your organization?
  [Unknown]:  Red Hat Inc
What is the name of your City or Locality?
  [Unknown]:  Raleigh
What is the name of your State or Province?
  [Unknown]:  NC
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=JBoss Security, OU=JBoss Division, O=Red Hat Inc, L=Raleigh, ST=NC, C=US correct?
  [no]:  yes

Enter key password for <jboss>
        (RETURN if same as keystore password):

Other Masking Information

1. Encrypting Data Source Passwords
2. Encrypting Keystore Password in Tomcat Connector
3. Encrypting Ldap Password in the LdapExtLoginModule

Background Information

This feature utlizes the Microcontainer lifecycle callbacks.

The password is set from a common utility into the MC bean during the "create" step.

Reference:

1. http://www.jboss.org/community/wiki/MaskingPasswordsinJBossASXMLConfiguration
2. http://server.dzone.com/articles/security-auditing-jboss

Troubleshooting

• Ensure that the keystore generated (by default it should be password/password.keystore) is the same as the one defined in deploy/security/security-jboss-beans.xml
• Did you comment out the suckerPassword attribute in deploy/messaging/messaging-jboss-beans.xml and enable the annotation for Password there?

About the Author:

Anil Saldhana is the lead security architect at JBoss. He blogs at http://anil-identity.blogspot.com