Encrypting JBoss Database Cleartext Passwords

I was planning to write this article for past two days but I was in dilemma whether to post this article or not. Its not that this article is not helpful, but there are already many good articles on this subject on internet currently. I had even tried to automate this feature, so that we can present an article which is different all the existing articles but automation was more complex than manual steps, thanks to variable factors such as “types of datasources(xa,non xa, local xa etc)”, “properties of -ds.xml file”, “different types of databases mysql, oracle, ms sql”.So automation would make the subject complex, I will update this post with automation files if I am able to write elegant code.

Finally we want “weblogic-wonders” to be one of the site to stop by, for all “middleware” enthusiasts, so we decided to post this article.

Prequisites :-

  • Set the JAVA_HOME variable.
  • Test the JDBC Connection URL in any sql client.
  • Take back up of “JBOSS_HOME/server/<serverName>/conf/login-config.xml” in another directory which is outside “JBOSS_HOME”.
  • Copy the respective driver “jar” file to the “JBOSS_HOME/server/<serverName>/lib”. For MySql I had copied “mysql-connector-java-5.1.6.jar” and for Oracle I had copied “ojdbc6.jar” jar file.
  • JBOSS_HOME :- I had this used this “word” many times in below post, this is the location where we had installed installed JBoss. For example on my machine “JBOSS_HOME” is  “/vasvijay/jboss/jboss-eap-5.0/jboss-as”.

Downloads :-

You can download the “xml” files from “https://weblogic-wonders.com/weblogic/wp-content/uploads/2011/01/VASDSPasswordEncryption.zip”.

Execution :-

In order to encrypt the database password, we will perform below 7 steps.

Step 1:- Encrypt the database password.

a) “cd” to the “JBOSS_HOME” and execute the below the command.

java -cp client/jboss-logging-spi.jar:common/lib/jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule <passwordYouWantToEncrypt>

Note :- Make sure “JBOSS_HOME/client/jboss-logging-spi.jar” and “JBOSS_HOME/common/lib/jbosssx.jar” exists.

Step 2 :- Create “-ds.xml” file. Make sure the file name has extension “-ds.xml”, if not the datasource will not be deployed.

Below is the sample xml file. I had just used basic minimal properties to test this feature. In real time we can add many additional properties/tags such as “min-pool-size”,”max-pool-size”,”prepared-statement-cache-size”. Please check “JBoss wiki” documentation for more details on this.

<datasources>
<local-tx-datasource>
<jndi-name>VASDS</jndi-name>
<connection-url>jdbc:oracle:thin:localhost:1521/vasDB1</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<security-domain>VASEncryptedDS</security-domain>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<metadata>
<type-mapping>Oracle9i</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>

local-tx-datasource :- This elements specifies that we are using “LocalTXConnectionManager” service. Other types include

a) xa-datasource

b) no-tx-datasource

c) ha-local-tx-datasource

d) ha-xa-datasource

jndi-name :- jndiname, we can access this resource in the context “java:/” unless we specify “use-java-context” to “false”.

connection-url :- This is simple connection string using Oracle Thin Driver, which connects to local database host “localhost” and database “vasDB1”. Please test this connection string in sqlclient before using, in this way we can avoid all issues related to connection string before itself.

driver-class :- Oracle Driver Class.

security-domain :- The “security domain name” defined in “JBOSS_HOME/server/<serverName>/conf”. This name should exactly match “application-policy” tag “name” attribute.

exception-sorter-class-name :- specifies a class which implements “org.jboss.resource.adapter.jdbc.ExceptionSorter“, to examine database exceptions to determine whether or not the exception indicates a connection error.

type-mapping :- specifies Oracle9i type mapping for Oracle 10g datasource configuration.

Step 3:- Update “JBOSS_HOME/server/<serverName>/conf/login-config.xml”. This is the JAAS login configuration file.  We will be adding new security domain called as “VASEncryptedDS”.

Append below lines in “login-config.xml” at the end just before “</policy>”.

<application-policy name=”VASEncryptedDS”>
<authentication>
<login-module code=”org.jboss.resource.security.SecureIdentityLoginModule” flag=”required”>
<module-option name=”username”>vasTest</module-option>
<module-option name=”password”>ENCRYPTEDPASSWORD_USING_STEP1</module-option>
<module-option name=”managedConnectionFactoryName”>jboss.jca:name=VASDS,service=LocalTxCM</module-option>
</login-module>
</authentication>
</application-policy>

login-module :- the attribute “code” defines the class which will be used for “authentication”. The attribute “flag” with value “required” defines that user needs to pass this authentication.

module-option :-

name :- database “username” password.

password :- Encrypted password using “step 1”.

managedConnectionFactoryName :- MBean name of Connection Manager. if you are not sure what this name should be login in “jmx-console”, click on “jboss.jca” on left hand column. Take any of the string on right and construct this string.

Step 4:- Copy the latest “login-config.xml” to the directory “JBOSS_HOME/server/<serverName>/conf” directory.

Step 5 :- Copy the “VASEncrypted-ds.xml” to the directory “JBOSS_HOME/server/<serverName>/deploy” directory.

Note :- The Step 2 “xml” file can be saved with any name with the extension “-ds.xml”. I had just named my file as “VASEncrypted-ds.xml”.

Step 6 :- Restart the server. Since we had edited the “login-config.xml” in “JBOSS_HOME/server/<serverName>/conf” we need to start the server.

Step 7 :- Validate, if the Datasource had been deployed successfully.

Method1 :- while the server is starting you will find below entry in the log.

09:11:51,353 INFO  [ConnectionFactoryBindingService] Bound ConnectionManager ‘jboss.jca:service=DataSourceBinding,name=VASDS’ to JNDI name
‘java:VASDS’

Method 2:- Login into “jmx-console” and click on “jboss.jca” entry on left side column. You should see “VASDS” entries on right side column.

Method 3 :-

./twiddle.sh -s jnp://icdusdartapp01:1099 -u admin -p admin get ‘jboss.jca:name=VASDS,service=LocalTxCM’ ManagedConnectionPool

Note :- There are couple of other methods “web-console”,”admin-console” etc.

Note :- For in depth detail on “twiddle”, please read the article “https://weblogic-wonders.com/weblogic/2010/12/22/jboss-command-line-utility-twiddle/”

Common Errors :-

  • In correct “database” “username” and “password”.
  • Database not running.
  • The database port blocked by firewall.

References :-

As you usual, my most favorite website(Google) has solution for every issue. Entire solution for this issue is based on research from sites returned by Google. If I had missed any site, please comment, I will be adding the site to the references. I apologize in advance for not mentioning the site in ‘references’, this was done unintentionally.

Google.com :- Search words ‘jboss datasource password encryption’

http://docs.jboss.org

http://community.jboss.org/wiki/encryptingdatasourcepasswords

Thanks,

Weblogic-Wonders Team

Dream, Learn, Share and Inspire !

Disclaimer :-

I had tested the above steps on Linux, Windows XP for the databases “MySql”,”Oracle”. Please take backup of important files before execution. Do let me know if there are any typographical mistakes or if I had missed any step.