Vijay Archive

Encrypting JBoss Database Cleartext Passwords

I was planning to write this article for past two days but I was in dilemma whether to post this article or not. Its not that this article is not helpful, but there are already many good articles on this subject on internet currently. I had even tried to automate this feature, so that we can present an article which is different all the existing articles but automation was more complex than manual steps, thanks to variable factors such as “types of datasources(xa,non xa, local xa etc)”, “properties of -ds.xml file”, “different types of databases mysql, oracle, ms sql”.So automation would make the subject complex, I will update this post with automation files if I am able to write elegant code.

Finally we want “weblogic-wonders” to be one of the site to stop by, for all “middleware” enthusiasts, so we decided to post this article.

Prequisites :-

  • Set the JAVA_HOME variable.
  • Test the JDBC Connection URL in any sql client.
  • Take back up of “JBOSS_HOME/server/<serverName>/conf/login-config.xml” in another directory which is outside “JBOSS_HOME”.
  • Copy the respective driver “jar” file to the “JBOSS_HOME/server/<serverName>/lib”. For MySql I had copied “mysql-connector-java-5.1.6.jar” and for Oracle I had copied “ojdbc6.jar” jar file.
  • JBOSS_HOME :- I had this used this “word” many times in below post, this is the location where we had installed installed JBoss. For example on my machine “JBOSS_HOME” is  “/vasvijay/jboss/jboss-eap-5.0/jboss-as”.

Downloads :-

You can download the “xml” files from “http://weblogic-wonders.com/weblogic/wp-content/uploads/2011/01/VASDSPasswordEncryption.zip”.

Execution :-

In order to encrypt the database password, we will perform below 7 steps.

Step 1:- Encrypt the database password.

a) “cd” to the “JBOSS_HOME” and execute the below the command.

java -cp client/jboss-logging-spi.jar:common/lib/jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule <passwordYouWantToEncrypt>

Note :- Make sure “JBOSS_HOME/client/jboss-logging-spi.jar” and “JBOSS_HOME/common/lib/jbosssx.jar” exists.

Step 2 :- Create “-ds.xml” file. Make sure the file name has extension “-ds.xml”, if not the datasource will not be deployed.

Below is the sample xml file. I had just used basic minimal properties to test this feature. In real time we can add many additional properties/tags such as “min-pool-size”,”max-pool-size”,”prepared-statement-cache-size”. Please check “JBoss wiki” documentation for more details on this.

<datasources>
<local-tx-datasource>
<jndi-name>VASDS</jndi-name>
<connection-url>jdbc:oracle:thin:localhost:1521/vasDB1</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<security-domain>VASEncryptedDS</security-domain>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<metadata>
<type-mapping>Oracle9i</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>

local-tx-datasource :- This elements specifies that we are using “LocalTXConnectionManager” service. Other types include

a) xa-datasource

b) no-tx-datasource

c) ha-local-tx-datasource

d) ha-xa-datasource

jndi-name :- jndiname, we can access this resource in the context “java:/” unless we specify “use-java-context” to “false”.

connection-url :- This is simple connection string using Oracle Thin Driver, which connects to local database host “localhost” and database “vasDB1”. Please test this connection string in sqlclient before using, in this way we can avoid all issues related to connection string before itself.

driver-class :- Oracle Driver Class.

security-domain :- The “security domain name” defined in “JBOSS_HOME/server/<serverName>/conf”. This name should exactly match “application-policy” tag “name” attribute.

exception-sorter-class-name :- specifies a class which implements “org.jboss.resource.adapter.jdbc.ExceptionSorter“, to examine database exceptions to determine whether or not the exception indicates a connection error.

type-mapping :- specifies Oracle9i type mapping for Oracle 10g datasource configuration.

Step 3:- Update “JBOSS_HOME/server/<serverName>/conf/login-config.xml”. This is the JAAS login configuration file.  We will be adding new security domain called as “VASEncryptedDS”.

Append below lines in “login-config.xml” at the end just before “</policy>”.

<application-policy name=”VASEncryptedDS”>
<authentication>
<login-module code=”org.jboss.resource.security.SecureIdentityLoginModule” flag=”required”>
<module-option name=”username”>vasTest</module-option>
<module-option name=”password”>ENCRYPTEDPASSWORD_USING_STEP1</module-option>
<module-option name=”managedConnectionFactoryName”>jboss.jca:name=VASDS,service=LocalTxCM</module-option>
</login-module>
</authentication>
</application-policy>

login-module :- the attribute “code” defines the class which will be used for “authentication”. The attribute “flag” with value “required” defines that user needs to pass this authentication.

module-option :-

name :- database “username” password.

password :- Encrypted password using “step 1”.

managedConnectionFactoryName :- MBean name of Connection Manager. if you are not sure what this name should be login in “jmx-console”, click on “jboss.jca” on left hand column. Take any of the string on right and construct this string.

Step 4:- Copy the latest “login-config.xml” to the directory “JBOSS_HOME/server/<serverName>/conf” directory.

Step 5 :- Copy the “VASEncrypted-ds.xml” to the directory “JBOSS_HOME/server/<serverName>/deploy” directory.

Note :- The Step 2 “xml” file can be saved with any name with the extension “-ds.xml”. I had just named my file as “VASEncrypted-ds.xml”.

Step 6 :- Restart the server. Since we had edited the “login-config.xml” in “JBOSS_HOME/server/<serverName>/conf” we need to start the server.

Step 7 :- Validate, if the Datasource had been deployed successfully.

Method1 :- while the server is starting you will find below entry in the log.

09:11:51,353 INFO  [ConnectionFactoryBindingService] Bound ConnectionManager ‘jboss.jca:service=DataSourceBinding,name=VASDS’ to JNDI name
‘java:VASDS’

Method 2:- Login into “jmx-console” and click on “jboss.jca” entry on left side column. You should see “VASDS” entries on right side column.

Method 3 :-

./twiddle.sh -s jnp://icdusdartapp01:1099 -u admin -p admin get ‘jboss.jca:name=VASDS,service=LocalTxCM’ ManagedConnectionPool

Note :- There are couple of other methods “web-console”,”admin-console” etc.

Note :- For in depth detail on “twiddle”, please read the article “http://weblogic-wonders.com/weblogic/2010/12/22/jboss-command-line-utility-twiddle/”

Common Errors :-

  • In correct “database” “username” and “password”.
  • Database not running.
  • The database port blocked by firewall.

References :-

As you usual, my most favorite website(Google) has solution for every issue. Entire solution for this issue is based on research from sites returned by Google. If I had missed any site, please comment, I will be adding the site to the references. I apologize in advance for not mentioning the site in ‘references’, this was done unintentionally.

Google.com :- Search words ‘jboss datasource password encryption’

http://docs.jboss.org

http://community.jboss.org/wiki/encryptingdatasourcepasswords

Thanks,

Weblogic-Wonders Team

Dream, Learn, Share and Inspire !

Disclaimer :-

I had tested the above steps on Linux, Windows XP for the databases “MySql”,”Oracle”. Please take backup of important files before execution. Do let me know if there are any typographical mistakes or if I had missed any step.

Automation of Open SSL CSR(Certificate Sign Request) creation

As part of my Job routine I need to create CSR for various new sites we maintain and mail them to CA. Creation of CSR is a two step process, first we create a key which is simple one line command and then we create the CSR. For the second step we need to enter some information regarding the certificate we are requesting CA authority to sign.  Generally I paste this information during creation of CSR, but one day I had to create appx 5-6 certificates at once , at this instance I didn’t feel that copying and pasting this information was best way to create CSR and more over its error prone.

So I had done some research on this issue and was able to find a solution. Basically we need to create a “conf” file and  pass this “conf” file for the command “openssl req” using “-config” option.

Below I have two solutions to fix this issue.

Prequisites :-

  • Installation of “openssl” tool.
  • “uuencode” and “mailx” if you want to send mails using the second “solution2”.

Note :- Code can be downloaded at “http://weblogic-wonders.com/weblogic/wp-content/uploads/2011/01/VASCreateSSL1.zip”.

Solution 1:-

This is a simple solution.  In this we create a “conf” file where we update all the required details and then execute “openssl req” command. Please find the attached ‘vasSSLTest.conf’.

==================================

dir = .
siteName = vastestapp.com

[ req ]
default_bits = 2048
default_keyfile = ${siteName}.key
distinguished_name = req_distinguished_name
prompt = no
output_password = <Password for the key file>

[ req_distinguished_name ]
C = US
ST = CA
L = SFO
O = VAS Techbology
OU = VAS IT
CN = ${siteName}

==================================

Explanation :-

dir :- Value for this variable is “.” Basically we are asking the tool to create the “key” and “csr” in the current directory from where we are executing the command “openssl req”.

siteName :- Value for this variable is “vastestapp.com”. This is the site for which we are creating the CSR request.

[req] :- Block. This block contains all the information required for “req” command option.

default_bits :- Value for this field is “1024”. Specifies the keysize in bits. In this example we are creating a key with “2048”.

distinguished_name :- Value for this field is “req_distinguished_name”. Basically this value is pointer to the block “req_distinguished_name”  which defines all the variables values such as “C,ST,L,O,OU,CN”.

prompt :- Value for this field is “no”.  If set to “no” disables prompting of certificate fields, all values will be taken from “conf” file.

output_password :- Value for this field is “<Password you want to secure your certificate with>”.

req_distinguished_name :- In this block, we define information related to distinguished name, which will used by CA authority to sign the CSR.

C :- Country

ST :- State.

L :- Location

O :- Organization

OU :- Organization Unit

CN :- Common Name( Here we provide the ‘siteName’). In this case the site name is ‘vastestapp.com’.

Once you define the ‘conf’ file as above. You just need to execute the below command to create the ‘CSR’ and ‘KEY” file.

openssl req -new -config <Config File Name> -out <CSR File Name>

Config File Name :- we will provide the ‘conf’ file which we just created.

CSR File Name :- This is where the output of  ‘openssl req’ is store. Basically this is the CSR file we will be sending to CA authority.

Solution 2:-

This solution is basically extension of ‘solution 1’. Basically we will be using same command ‘openssl req’ but we are just building ‘wrapper’ shell script for this command.

You can download the code at “http://weblogic-wonders.com/weblogic/wp-content/uploads/2011/01/VASCreateSSL1.zip”.

OverView :-

Basically when we execute this script, it creates a new ‘conf’ file for the new site, creates the ‘key’ file, creates the ‘CSR’ file and finally mails the ‘CSR’ to e-mail addresses mentioned in the ‘ksh’ script.

The attached zip file contains 4 files

1) vasSSLTest.conf :- This file is a template file. Basically we will creating a ‘conf’ for the new site by copying this file and then replace the variable values ‘APPNAME’, ‘SITENAME’,’ENV’ with the values defined in ‘vasSite.properties’.

2) vasSite.properties :- In this file we define all the properties related to new site, for which we are creating the CSR.

appname=vasTestApp
sitename=vastestapp.com
env=prod

3) VASCreateCSR.ksh :- This is the main engine. This ‘ksh’ script contains all the logic, to create new CSR and mail it you. Basically it has following important blocks. Check the attached zip for more details.

define variables.

define various functions and call various functions.

Execute ‘openssl req’ command.

Mail the CSR.

4) vasEMail.conf :-This is E-Mail template file, which can be edited as per individuals requirement.

5) VASCreateCSRScriptExplanation.txt :- This is a plain text file which explains the logic of the “VASCreateCSR.ksh” in brief.

Execution :-

chmod 700 VASCreateCSR.ksh

./VASCreateCSR.ksh vasSite.properties

Note :- I had tested the script in “Korn” shell and it works perfectly for me.  If any one finds an issue, Please comment, I will try to fix the issue.

Validation :-

1) We can test the ‘CSR’ which had been created at the site ‘http://www.thawte.nl/en/support/test+your+csr/’.

2) We can also check if the password for key is working by entering the command “openssl rsa -in vastestapp.com.key -check”. Enter the password which you have entered for the variable “output_password” in “vasSSLTest.conf”.

References :-

As you usual, my most favorite website(Google) has solution for every issue. Entire solution for this issue is based on research from sites returned by Google. If I had missed any site, please comment, I will be adding the site to the references. I apologize in advance for not mentioning the site in ‘references’, this was done unintentionally.

Google.com :- Search words ‘openssl conf’

https://www.sit.auckland.ac.nz/Automating_CSR_creation

http://www.openssl.org/docs/apps/req.html#

Thanks,

Weblogic-Wonders Team

Dream, Learn, Share and Inspire !

Disclaimer :-

This script is not the best solution, we can write better, elegant script than this but this is just an example to solve the issue I had faced. Any suggestions/comments regarding this scripts are welcome.

JBoss Command Line Utility Twiddle

Recently I had faced a situation where I was forced to invoke a method on a particular “MBean” 10-15 times. I had completed this task manually from “JMX-Console”, but I didn’t feel it was elegant way of executing the task.

So I had started doing research to find out if there is better way of doing this task. Finally I found a utility called as “twiddle” which basically comes with every JBoss installation. In this article, I am just sharing information about what I had learned. There are many more complex tasks which can be performed with this utility.


Variables
:-

JBOSS_HOME :- This is the location where JBoss is installed.

Prerequisites :-

We need to set “JAVA_HOME” variable before executing twiddle. This can be done in two ways.
Solution 1:-

In the Profile :- In “bash profile”(I use ‘bash’ profile, same can be done with other profiles), so go to “HOME” directory( enter “cd” at command prompt), open “.bash_profile(make sure there is “dot” before “bash_profile”, this is secret file) and enter below lines.

JAVA_HOME=<location where “java” is installed>
export JAVA_HOME

Save the file and enter “source .bash_profile”. “source” command reads commands from the file and executes in current shell environment.

Solution 2 :-

Update “twiddle.sh”(Take backup before editing the file).
Add below lines

JAVA_HOME=<location where “java” is installed>
export JAVA_HOME
echo “VAS JAVA_HOME : ${JAVA_HOME}”

Note :- Solution “2” is better than “1” because solution 1 might effect other applications too, but solution “2” will effect only “twiddle.sh”

Validation :-

Enter “echo ${JAVA_HOME}” , this should return the location where the JBoss is installed. If this variable returns “empty” value, then this variable is not set properly, please check above steps.


Execution
:-

Go to the directory “JBOSS_HOME/bin” and execute “./twiddle.sh”. It should display the help options.

Help :-

./twiddle.sh –help-commands :- displays all the commands we can invoke on this utility.
./twiddle.sh –H<command> :- will provide additional information on particular command, such as syntax of the commands, options that can be passed to the command.

Example :-
./twiddle.sh -Hinvoke

Syntax :-

./twiddle.sh -s <serverUrl> -u <userName> -p <password> <command> [ command_arguments

serverUrl :- <protocol>://<serverName>:<port>
protocol :- jnp ( This is optional)
serverName :- Since we will be executing the command from the box where JBoss is installed, we can either give “localhost” or actual server name.
port :- 1099.  This the port where Jboss Naming service is listening. If you are using out of box Jboss installation then this will be the port. But if you changed this and you don’t remember the port, then either check the file “JBOSS_HOME/server/<serverName>/conf/bindingservice.beans/META-INF/bindings-jboss-beans.xml” or log on to “http://<serverName>:<port>/jmx-console” and click on “jboss” on left column and then click “service=Naming” and the value for the attribute “port”.

Commands :-

jsr77 :- displays jsr77 related information.
xmbean :- print out mbean metadata as an “xmbean” descriptor. In this file you can find all attributes and operations on a particular mbean.
info :- get the metdata for an MBean.
get :-  get value for an mbean attribute.
invoke :- invoke an operation on an MBean
create :- create an MBean
setattrs :- set the values of one or more MBean attributes
unregister :- unregister one or more MBeans
queryMethod :- query list of matchin methods on MBeans
listDomains :-  list all the domains.
query :-  query list of matching MBeans
set :- set the value for one MBean attribute
serverinfo :- get the information about MBean Server.


Examples :-

jsr77 :-

Displays the “jsr77” information for this particular server.

./twiddle.sh -s jnp://localhost:1099 -u admin -p admin jsr77

xmbean :-

Displays information of the MBean as “xmbean” descriptor.

./twiddle.sh -s jnp://localhost:1099 -u admin -p admin xmbean jboss:service=Naming

info :-

Query attribute of a particular bean.

./twiddle.sh -s jnp://localhost:1099 -u admin -p admin xmbean jboss:service=Naming

get :-

Get value of a particular ‘attribute’.

./twiddle.sh -s localhost:1099 -u admin -p admin get ‘jboss:service=Naming’ Name

Get value of a multiple ‘attributes’. The attributes must be separated by ‘Space’.

./twiddle.sh -s localhost:1099 -u admin -p admin get ‘jboss:service=Naming’ Name State

invoke :-

Invoke operation on a particular mbean.

./twiddle.sh -s localhost:1099 -u admin -p admin invoke jboss.system:type=ServerInfo listThreadCpuUtilization

Note :- There are multiple additional options, I didn’t explore them as of now.

create :-

Create an MBean.

I didn’t explore this command, I need to do research on this command a little more. I will update this article once I found more on this command.

setattrs :-

Set values of one or more bean attributes.

In below command we set values of two attributes “BackLog” and “JNPServerSocketFactoryBean” to “100” and “null” respectively.

./twiddle.sh -s localhost:1099 -u admin -p admin setattrs ‘jboss:service=Naming’ Backlog 100 JNPServerSocketFactory null

unregister :-

Unregister a one or more Mbeans.

Again I didn’t get much chance to explore this command, will update on this on this command once I am done with research.

queryMethod :-

Query all methods on all Mbeans.

./twiddle.sh -s localhost:1099 -u admin -p admin queryMethod list

Query methods on few mbeans

./twiddle.sh -s localhost:1099 -u admin -p admin queryMethod -f ‘jboss:*’ list

listDomains :-

List all the domains.

./twiddle.sh -s localhost:1099 -u admin -p admin listDomains

query :-

Display all Mbeans on the server.

./twiddle.sh -s localhost:1099 -u admin -p admin query ‘*:*’

Display MBeans on particular domain. In below command we display in the domain “jboss:j2ee”.

./twiddle.sh -s localhost:1099 -u admin -p admin query ‘jboss.j2ee:*’

set :-

Set the value on particular attribute.

./twiddle.sh -s localhost:1099 -u admin -p admin set ‘jboss.system:service=Logging,type=Log4jService’ RefreshPeriod 60

serverinfo :-

Display information about MBean server.

./twiddle.sh -s localhost:1099 -u admin -p admin serverinfo -l

Number of MBeans on the server.

./twiddle.sh -s localhost:1099 -u admin -p admin serverinfo -c

Default Domain.

./twiddle.sh -s localhost:1099 -u admin -p admin serverinfo -d

Few Important Useful Operations :- We can do many operations with “Twiddle”, below are just few examples.

Deploying an Application :-

./twiddle.sh -s localhost:1099 -u admin -p admin invoke ‘jboss.service:MainDeployer’ deploy “file:///tmp/VASVijay/VASApp.war”

Undeploying an Application :-

./twiddle.sh -s localhost:1099 -u admin -p admin invoke ‘jboss.service:MainDeployer’ undeploy “file:///tmp/VASVijay/VASApp.war”

Redeploying an Application :-

./twiddle.sh -s localhost:1099 -u admin -p admin invoke ‘jboss.service:MainDeployer’ redeploy “file:///tmp/VASVijay/VASApp.war”

Take ThreadDump :-

./twiddle.sh -s localhost:1099 -u admin -p admin invoke ‘jboss.system:type=ServerInfo’ listThreadDump
Get Server Info :-

./twiddle.sh -s localhost:1099 -u admin -p admin get ‘jboss.system:type=ServerInfo’

Issues :-

Twiddle will be throwing exception like below, this is a know nexception. This is because “twiddle” is executed on separate “JVM” from the “JBoss JVM”. There is patch for this at “https://issues.jboss.org/browse/JBAS-4323”

10:16:57,158 ERROR [Twiddle] Exec failed java.io.NotSerializableException: org.jboss.resource.connectionmanager.TxConnectionManager
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1474)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1392)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1150)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:326)
at java.util.ArrayList.writeObject(ArrayList.java:570)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:945)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1461)

Pending Tasks :-

Exploring below commands and options :-

Options :- “-c” option. I was not able to find out correct way to execute this option, so I am checking out with Redhat on this option. If any one of you know how to use this option, please let me know. Thanks in advance for sharing the solution.

Commands :- “create” and “unregister” commands,  I need to write code to explore these. I will soon add examples to execute these commands, once I test these commands successfully.

References :-

This article wouldn’t had been possible without ‘google’ and many wonderful articles written by experts. Few of them are below. I referenced many sites for this utility, I couldn’t remember all site names, If I didn’t mention any particular site name whose example I had used,  its just that I don’t remember the site name, I sincerely apologize for not mentioning the site name.  Please let know if any one feels I had missed to add any particular site in the reference, I will add the site to the references.

http://community.jboss.org/wiki/Twiddle

http://nagpals.com/jboss-examples-of-twiddle

I hope that you all liked this article, if there any issues or suggestions or if you don’t like anything in the article,  please comment.

For some more Twiddle examples, refer the below post.

http://weblogic-wonders.com/weblogic/2011/02/13/twiddle-utility-examples/

Thanks,

Wonders-Team,

Dream, Learn, Share and Inspire !