How to configure credential-store in Elytron subsystem to store secret in JBoss EAP?

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 7.1+

Issue

How to configure credential-store in EAP 7.1 or later?
How to store secure attribute in credential-store ?

Resolution

In order to use Elytron credential-store, the usage of $JBOSS_HOME/bin/elytron-tool.sh might be involved before that.
Check Securely Storing Credentials documentation to have an overview of its usage.

Link to JBoss EAP Configuration

Now with a credential-store in hands, it's possible to link it in JBoss EAP configuration:

/subsystem=elytron/credential-store=cs-store:add(create=true,credential-reference={clear-text=secret},location="path/to/cs-store.keystore",relative-to=jboss.home.dir)

{"outcome" => "success"}

Add an alias to the credential-store

It's possible to add an alias secret to into credential-store and corresponding alias can be used with attribute credential-reference for the the required resource.

/subsystem=elytron/credential-store=cs-store:add-alias(alias=truststore,secret-value=jboss@123)

Convert Vault to Credential Store

$JBOSS_HOME/bin/elytron-tool.sh vault --enc-dir /path/to/jboss-eap-7.2/vault --keystore vault.keystore --keystore-password vault22 --iteration  120 --salt 1234ancd  --alias vault --summary --debug

Usage with Messaging Subsystem

Refer article How to use Elytron Credential store in messaging subsystem ? for the usage of credential-store with messaging.

Mask credential-store password

One can mask the password of credential store to avoid storing as plain-text by configuring like below, there are some other options available to avoid plain-text password, reference at elytron documentation

For example:

$ EAP_HOME/bin/elytron-tool.sh mask --salt 12345678 --iteration 123 --secret supersecretstorepassword
/subsystem=elytron/credential-store=cs-store:write-attribute(name=credential-reference.clear-text,value="MASK-27mbUrdkD3aIFOupGodvVC;12345678;44")

In domain mode credential-store is required to configure in Elytron subsystem under a specific profile and secret can be stored traversing through a server.

# Configured the credential-store
/profile=default/subsystem=elytron/credential-store=cs-store:add(create=true,relative-to=jboss.domain.config.dir,location=cs-store.keystore,credential-reference={clear-text=MASK-8VzWsSNwBaR676g8ujiIDdFKwSjOBHCHgnKf17nun3v;12345678;123})

# Make an entry of the secret into credential-store
/host=master/server=server-one/subsystem=elytron/credential-store=cs-store:add-alias(alias=keystore,secret-value=password)

Note: It is not necessary to create any keystore explicitly for configuring credential-store.

SBR

JBoss Security

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.