如何在 Jboss Wildfly 8.1 中配置 SSL

Question

我在 JBoss Wildfly 8.1 中配置了 SSL。我已经生成了一个密钥库文件并更新了 standaolne.xml 文件，如下所示

<security-realm name="security-realm">
  <server-identities> 
     <ssl> 
        <keystore path="security/keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password=" changeit"/> 
     </ssl>
  </server-identities> 
</security-realm>

keystore-password 和 key-password 是明文形式。只是我们无法以明文形式显示它。我想加密密码。我尝试了很多，但在这方面无法提供可靠的帮助。所以任何人都可以帮助我如何加密这个密码以及如何在 sandalone.xml 文件中使用它。

Answer 1

您可以使用 VaultTool 屏蔽 WildFly 的密码。

WildFly 应用服务器中使用的

VaultTool 用于 为安全属性（例如密码）创建/使用存储 以后可以以掩码形式在 WildFly 配置文件中使用。

因此，用户可以使用对其安全属性的引用而不是 将它们以明文形式放入配置文件中。

首先你需要create a Java Keystore to Store Sensitive Strings。

$ keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore WILDFLY_HOME/vault/vault.keystore

然后初始化 Password Vault 并存储 ssl keystore 的密码：

wildfly-8.1.0.Final/bin$ sh vault.sh

=========================================================================

  JBoss Vault Tool
  JBOSS_HOME: "wildfly-8.1.0.Final"
  JAVA: ""
  JAVA_OPTS: ""

=========================================================================

**********************************
****  JBoss Vault  ***************
**********************************
Please enter a Digit::   0: Start Interactive Session   1: Remove Interactive Session  2: Exit
0
Starting an interactive session
Enter directory to store encrypted files:/home/fsierra/vault/
Enter Keystore URL:home/fsierra/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (e.g.: 44):17
Enter Keystore Alias:Vault
Initializing Vault
ene 13, 2015 12:42:48 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in WildFly configuration file:
********************************************
...
</extensions>
<vault>
  <vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
  <vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
  <vault-option name="KEYSTORE_ALIAS" value="Vault"/>
  <vault-option name="SALT" value="12345678"/>
  <vault-option name="ITERATION_COUNT" value="17"/>
  <vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault><management> ...
********************************************
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit::   0: Store a secured attribute  1: Check whether a secured attribute exists  2: Exit
0
Task: Store a secured attribute
Please enter secured attribute value (such as password):
Please enter secured attribute value (such as password) again:
Values match
Enter Vault Block:keystore
Enter Attribute Name:password
Secured attribute value has been stored in Vault.
Please make note of the following:
********************************************
Vault Block:keystore
Attribute Name:password
Configuration should be done as follows:
VAULT::keystore::password::1
********************************************
Please enter a Digit::   0: Store a secured attribute  1: Check whether a secured attribute exists  2: Exit

最终，密钥库密码已被屏蔽，可用于配置文件和部署。

例如（standalone.xml）：

<extensions>  
    ...  
</extensions>  
<vault>  
    <vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
    <vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
    <vault-option name="KEYSTORE_ALIAS" value="Vault"/>
    <vault-option name="SALT" value="12345678"/>
    <vault-option name="ITERATION_COUNT" value="17"/>
    <vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault>
<management>
    <security-realms>
        ...

        <security-realm name="SslRealm">
            <server-identities>
                    <ssl>
                        <keystore path="ssl.jks" relative-to="jboss.server.config.dir" keystore-password="${VAULT::keystore::password::1}"/>
                    </ssl>
            </server-identities>
        </security-realm>
    </security-realms>
</management>

参考资料：

• Masking passwords for WildFly using non-interactive VaultTool
• Mask the Keystore Password and Initialize the Password Vault
• JBoss AS7 Securing Passwords
• AS7: Utilising masked passwords via the vault