In previous versions of JBoss EAP, the primary method of securely storing credentials and other sensitive strings was to use a password vault. A password vault stopped you from having to save passwords and other sensitive strings in plain text within the JBoss EAP configuration files.
However, a password vault has a few drawbacks. For example, each JBoss EAP server can only use one password vault, and all management of the password vault has to be done with an external tool.
New with the elytron
subsystem in JBoss EAP 7.1 is the credential store feature.
You can create and manage multiple credential stores from right in the JBoss EAP management CLI, and the JBoss EAP management model now natively supports referring to values in a credential store using the credential-reference
attribute. You can also create and use credential stores for Java applications using Elytron Client.
Below is a quick demonstration that shows how to create and use a credential store using the JBoss EAP management CLI.
Create a Credential Store
/subsystem=elytron/credential-store=my_store:add(location="cred_stores/my_store.jceks", relative-to=jboss.server.data.dir, credential-reference={clear-text=supersecretstorepassword},create=true)
Add a Credential or a Sensitive String to a Credential Store
/subsystem=elytron/credential-store=my_store:add-alias(alias=my_db_password, secret-value="speci@l_db_pa$$_01")
Use a Stored Credential in the JBoss EAP Configuration
The below example uses the previously added credential as the password for a new JBoss EAP data source.
data-source add --name=my_DS --jndi-name=java:/my_DS --driver-name=h2 --connection-url=jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE --user-name=db_user --credential-reference={store=my_store, alias=my_db_password}
Using Credential Stores in EJB Applications
EJBs and other clients can use Elytron Client to create, modify, and access credential stores outside of a JBoss EAP server.
For more information on using credential stores in JBoss EAP 7.1, including how to convert existing password vaults to credential stores, see the JBoss EAP 7.1 How to Configure Server Security guide.
Last updated: December 13, 2017