Monday, August 9, 2010

JBOSS LDAP Password Encryption

Please make sure your JBOSS LDAP connection works fine with clear password before proceeding with encryption.

1) Create a mbean file named encrypt-service.xml and place it in the deploy folder.
encrypt-service.xml
------------------------------------------------------------------------------
   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=JaasSecurityDomain,domain=jk-ldap-security">
      <constructor>
         <arg type="java.lang.String" value="jk-ldap-security"></arg>
      </constructor>
      <attribute name="KeyStorePass">rchitect</attribute>
      <attribute name="Salt">rchitect</attribute>
      <attribute name="IterationCount">66</attribute>
   </mbean>
------------------------------------------------------------------------------
Note: The Salt value should be 8 bytes long. More than 8 bytes is not accepted at the moment.

2) Restart the server if required.

3) Login to jmx-console http://{ip-address}:8080/jmx-console/

4) From the left hand side navigation Object Name Filter, select jboss.security and click on the link domain=jk-ldap-security,service=JaasSecurityDomain

5) Go to Operation -> encode64 -> Type your LDAP Bind Password and click Invoke.
6) The encrypted password will be displayed on the screen. Please save this.
7) Update your login-config.xml 
Replace
<module-option name="bindCredential">clear-text-password</module-option>
with 
<module-option name="bindCredential">{encrypted-password-from-above}</module-option>
<module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=jk-ldap-security</module-option>
8) Restart the server.

Your ldap bind password is now encrypted!

9) As you can notice above, KeyStorePass is still in clear text form. In order to encrypt Keystore pass, create a file server.password in conf directory using the command below substituting with proper parameters.
java -cp common/lib/jbosssx.jar org.jboss.security.plugins.FilePassword $saltvalue $iterationcountvalue $password $JBOSS_SERVER_HOME/conf/server.password
e.g.
java -cp common/lib/jbosssx.jar org.jboss.security.plugins.FilePassword rchitect 66 rchitect $JBOSS_SERVER_HOME/conf/server.password

10)  Replace the clear text KeyStorePass with the folllowing in encrypt-service.xml
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>

If you prefer not to use mbean for encryption, you can also use the following command to encrypt the ldap bind password.

java -cp common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils $saltvalue $iterationcountvalue $password $encryptpassword
e.g.
java -cp common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils rchitect 66 rchitect  ldap-bind-clear-password

posted by Jayanthi Krishnamurthy @ 4:16 PM   1 Comments

1 Comments:

At June 16, 2016 at 3:26 AM , Blogger Unknown said...

from which directory we have to execute the this "command java -cp common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils rchitect 66 rchitect ldap-bind-clear-password"

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home

Newer›  ‹Older