Skip to main content

JEAP 6 - 加密Datasource的密碼,使用Picketbox 與 Vault

新版的JBoss 跟前一個J老闆的設定方式大致相同。可以利用Security Domain 去設定,或是新版的vault 功能!
不知道什麼是Security Domain? 
去拜拜Google 大神,精進對Java EE 的瞭解吧!
我覺得新的J老闆,有一個好處,就是你可以不用再去設定xml , 透過它的admin console 去設定,就可以了。
牢騷: 不過,我向來不太喜歡用太多GUI,至少也要懂得為什麼要設定吧!(絕對不是耍帥 XD)
在改GUI 的 哪些值?對應的位置,原理。
如果只是照著文件做,那頂多是個工匠,離大師的Level 還差得遠咧!
========================================================
設定這個之前,請先參考先前的設定Datasource的文章,確認安裝Datasource 是成功的!

新版的JBoss 把"幾乎"所有的設定都放到了 standalone.xml 與 domain.xml.
這邊使用standalone做 Example.

1. 設定DataSource 中的Security Domain.

JBoss 利用把加密後的ID 與 Password 放在Security Domain 裡面。
然後利用設定不同的login module 去解密密碼。


<datasource jta="false" jndi-name="java:jboss/datasource/PostgresDB" pool-name="PostgresDB" enabled="true" use-ccm="false">
     <connection-url>jdbc:postgresql://172.16.1.79:5432/postgres</connection-url>
     <driver-class>org.postgresql.Driver</driver-class>
     <driver>postgres</driver>
     <security>
          <security-domain>PostgresEncrypt</security-domain>
     </security>
     <validation>
          <validate-on-match>false</validate-on-match>
          <background-validation>false</background-validation>
     </validation>
     <statement>
          <share-prepared-statements>false</share-prepared-statements>
     </statement>
</datasource>
         
Datasource,這一塊的設定大概就是這樣就好了!不管我們用什麼樣的加密方法這邊都是一樣的。

會有變動的是在Security Domain,所以我們先建立一個名叫 PostgresEncrypt 的Security Domain (Standalone or Domain.xml)。


<security-domain name="PostgresEncrypt" cache-type="default">

     ......

</security-domain>

這次會介紹兩種加密的方式
1.  Picketbox
2.  Vault

Picketbox


JBoss 裡面內建picketbox 去加密,所以我們可以用JBoss 內建的JAR 去加密密碼

[root@jboss1 jboss-eap-6.0]# pwd
/opt/jboss-eap-6.0
[root@jboss1 jboss-eap-6.0]# java -cp modules/org/picketbox/main/picketbox-4.0.9.Final-redhat-1.jar:modules/org/jboss/logging/main/jboss-logging-3.1.1.GA-redhat-1.jar org.picketbox.datasource.security.SecureIdentityLoginModule 偶的密碼
Encoded password: 偶加密後的密碼




之後必須指定Security Domain 的 login 模組,設定的方式有兩個,一是修改xml, 一是使用web console的畫面!


其實,設定的東西都是一樣的,


1.  使用的 login 模組
2.  資料庫 ID
3.  加密後的密碼


XML Config 設定


放置在standalone or domain.xml 中的
 subsystem xmlns="urn:jboss:domain:security:1.2"  tag 下



<security-domain name="PostgresEncrypt" cache-type="default">
     <authentication>
          <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
               <module-option name="userName" value="postgres"/>
               <module-option name="password" value="偶加密後的密碼"/>
          </login-module>
     </authentication>
</security-domain>


Web Console 設定

在左上方選取 Profile, 之後於左方選單選擇 Security Domain, 在中間會出現一個現在有的Security Domain 清單,按下add 按鈕。 在Name 打入 PostgresEncrypt


在清單會出現我們新建的PostgresEncrypt,選擇我們新建的PostgresEncrypt按下view,
會跳出Login Module 的輸入畫面。 
輸入 org.picketbox.datasource.security.SecureIdentityLoginModule


在下方Details 的地方選擇Module 的Tab, 
增加兩個 Module Option

Name: username Value: 資料庫的登入id
Name: password Value: 資料庫加密後的密碼

 這樣就算建立成功了!

對了,記得看一下我們Security 的設定。
User Name 與 Password 都是空白, Security Domain 的設定是指到我們設定的PostgresEncrypt



重新啟動後,測試Connection 後確定ok!


Vault 

個人比較喜歡這種方式,一是因為他加密的方法利用keystore 的加密, 然後把密碼放在金庫裡面。 相對來說比單純加密一個密碼來的安全些! 可是麻煩的地方在於每個Domain 的 node 與server 上都要放那個 keystore, 不然會導致無法解密。

首先,我們先要做一個keystore, 

[root@jboss1 keystores]# keytool -genkey -alias vault -keyalg RSA -keysize 1024 -keystore postgresVault.keystore
輸入 keystore 密碼:  
重新輸入新密碼: 
您的名字與姓氏為何?
  [Unknown]:  Boggs
您的編制單位名稱為何?
  [Unknown]:  Monster Inc
您的組織名稱為何?
  [Unknown]:  Scary Dept
您所在的城市或地區名稱為何?
  [Unknown]:  Monstropolis
您所在的州及省份名稱為何?
  [Unknown]:  Monstropolis
該單位的二字國碼為何
  [Unknown]:  MM
CN=Boggs, OU=Monster Inc, O=Scary Dept, L=Monstropolis, ST=Monstropolis, C=MM 正確嗎?
  [否]:  Y

輸入 <vault> 的主密碼
(RETURN 如果和 keystore 密碼相同):  
重新輸入新密碼: 
[root@jboss1 keystores]# ls
postgresVault.keystore




在檔案的路徑下會出現新建的keystore, 之後就可以利用keystore 建立金庫密碼了!
到JBoss 的安裝路徑下的bin 找到執行檔案 vault.sh or vault.bat

[root@jboss1 bin]# ./vault.sh 
=========================================================================

  JBoss Vault

  JBOSS_HOME: /opt/jboss-eap-6.0

  JAVA: /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/bin/java

  VAULT Classpath: /opt/jboss-eap-6.0/modules/org/picketbox/main/*:/opt/jboss-eap-6.0/modules/org/jboss/logging/main/*:/opt/jboss-eap-6.0/modules/org/jboss/common-core/main/*:/opt/jboss-eap-6.0/modules/org/jboss/as/security/main/*
=========================================================================

**********************************
****  JBoss Vault ********
**********************************
Please enter a Digit::   0: Start Interactive Session  1: Remove Interactive Session  2: Exit
0   (選0開始建立金庫)
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/opt/vaults/        (這裡是放金庫的位置,請自己指定)
Enter Keystore URL:/opt/keystores/postgresVault.keystore  (剛剛建立的keystore 位置)
Enter Keystore password:    (剛剛建立的keystore的密碼)
Enter Keystore password again: 
Values match
Enter 8 character salt:monsters  (自己指定!)
Enter iteration count as a number (Eg: 44):7 (自己指定!)
                
Please make note of the following:
********************************************
Masked Password:MASK-2uUCRDgZSYCfy8PEwjDV4V
salt:monsters
Iteration Count:7
********************************************
                
Enter Keystore Alias:vault
2012/7/6 上午 04:17:31 org.jboss.security.vault.SecurityVaultFactory get
資訊: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Initializing Vault
2012/7/6 上午 04:17:31 org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: Default Security Vault Implementation Initialized and Ready
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
0   (選0開始儲存密碼)
Task:  Store a password
Please enter attribute value:         (想要加密的資料庫密碼)
Please enter attribute value again: 
Values match
Enter Vault Block:PostgresDB
Enter Attribute Name:password
Attribute Value for (PostgresDB, password) saved
                
Please make note of the following:
********************************************
Vault Block:PostgresDB
Attribute Name:password
Shared Key:ZDJlNTMxNTEtYjBmNi00NmZkLWI4ZDEtNjFiMWVkNmMzYzFmTElORV9CUkVBS3ZhdWx0
Configuration should be done as follows:
VAULT::PostgresDB::password::ZDJlNTMxNTEtYjBmNi00NmZkLWI4ZDEtNjFiMWVkNmMzYzFmTElORV9CUkVBS3ZhdWx0
********************************************
                
Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
1
Task: Verify whether a password exists
Enter Vault Block:PostgresDB
Enter Attribute Name:password
A value exists for (PostgresDB, password)
Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
   (選2開始離開)



然後應該可以在你指定的金庫儲存位置看到,相關的檔案。

[root@jboss1 vaults]# pwd
/opt/vaults
[root@jboss1 vaults]# ls
ENC.dat  Shared.dat
[root@jboss1 vaults]#

設定vault 的內容,請在standalone or domain.xml 增加一個 tag 

......
</extensions>
<vault>
     <vault-option name="KEYSTORE_URL" value="/opt/keystores/postgresVault.keystore"/>
     <vault-option name="KEYSTORE_PASSWORD" value="MASK-2uUCRDgZSYCfy8PEwjDV4V"/>
     <vault-option name="KEYSTORE_ALIAS" value="vault"/>
     <vault-option name="SALT" value="monsters"/>
     <vault-option name="ITERATION_COUNT" value="7"/>
     <vault-option name="ENC_FILE_DIR" value="/opt/vaults/"/>
</vault>
<management>

....... 


題外話,這種方式就不需要另外設定Security Domain, 
想說你只要個加密的密碼的話,可以直接在 datasource 上設定。在 password 上直接打入剛剛產生的 Config :

VAULT::PostgresDB::password::ZDJlNTMxNTEtYjBmNi00NmZkLWI4ZDEtNjFiMWVkNmMzYzFmTElORV9CUkVBS3ZhdWx0

使用 Web Console 設定  (在 Datasource 下的Security tag 中。)


或是 修改 standalone or domain.xml 就可以直接使用了!

<datasource jndi-name="java:jboss/datasource/PostgresDB" pool-name="PostgresDB" enabled="true" >
     <connection-url>jdbc:postgresql://172.16.1.79:5432/postgres</connection-url>
     <driver-class>org.postgresql.Driver</driver-class>
     <driver>postgres</driver>
     <security>
          <user-name>postgres</user-name> 
          <password>VAULT::PostgresDB::password::
ZDJlNTMxNTEtYjBmNi00NmZkLWI4ZDEtNjFiMWVkNmMzYzFmTElORV9CUkVBS3ZhdWx0</password>
     </security>
     <validation>
          <validate-on-match>false</validate-on-match>
          <background-validation>false</background-validation>
     </validation>
     <statement>
          <share-prepared-statements>false</share-prepared-statements>
     </statement>
 </datasource>

如果是改xml 記得重開Server喔!


去玩玩看吧!




Comments

Popular posts from this blog

Red Hat JBoss Fuse - Getting Started with Fuse Integration Service 2.0 Tech preview

I just realized that I did not do a getting started for Fuse Integration Service 2.0 Tech preview before I did the pipeline demo, thanks for those of you who reminded me! :)

To get started with FIS 2.0, for people who has just getting to know the technology, here is how I interpret it. Basically, it's divide into two aspect,

1. Integration development, FIS uses Apache Camel as the core technology that creates, orchestrate, compose microservices into a super lightweight thin integration layer, and become the API provider and service orchestrator through exposing RESTful or messaging service endpoints. And you can choose to either package and run it with Spring-Boot or Karaf.


2. Application Deployment and Management, FIS takes advantages of OpenShift platform, and allows you to separately deploy the micro-integration service among distributed environment, at the same time takes care of the failover, high availability, load balancing and service lookup problem for you.


So, now we know …

Red Hat JBoss Fuse/A-MQ - Fuse and A-MQ Version 6.3 GA is released!

Fuse and A-MQ 6.3 GA has just went out. Maybe, you would think this is just only a minor version release why should I care? Hold your thoughts on that! Because they have done a lot of improvements and also added many new features into this release.

Besides various bug fixes and making sure Fuse Fabric is much more stable. There are two major change in this version update:

New Tooling in JBoss Developer Studio (JBDS) 9.1 GA. Newer Apache Camel version – Camel v2.17. I was really impressed by the work put in to make developing Camel application much simpler. First is the installation of tooling itself. Now it has a all-in-one installer so you don't need to worry about which plugins you need to check. See the videos below to see the new "Getting Started" of Fuse 6.3.



And If you notice from the above video, the presentation of camel route in JBDS has also updated. It fixed some of the miss representation of logic and making it easier to read.

Old Camel Route
New Camel Route
On …

Fuse Integration Service - Setup JBDS and create first quickstart application

Before we go and start creating our first application, I want to show you how to setup your JBoss Developer Studio, create a small application from the quickstart example and then running it on Fuse Integration Service.

I am using JBoss Developer Studio version 9, you can find it here.
After download the

jboss-devstudio-9.0.0.GA-installer-eap.jar
double-click it, and start installing with default values.

After successful installation, we will need install the plugins for Fuse, on JBoss Central view, select software update, select enable early access.


And select JBoss Fuse Development for the plugin,


Click on install, and we are all set to go!

First thing first, we want to create a Fuse project to deploy on the base of Fuse Integration Service, which is OpenShift. If you have not installed it, please go back to my previous post for instructions. So on your JBDS, right click and start creating the project. Select new, maven project, if you have installed the plugin correctly, you should …