Store datasource / database password in Elytron credential-store in JBoss EAP 8 / 7.1+
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 8.x
- 7.1+
- Java Database Connectivity (JDBC) Datasources
- Clear text passwords
- Elytron Security
- Elytron Credential Stores
Issue
-
Secure datasource password in Elytron credential-store
-
The below error is seen during connection test
15:46:32,801 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-3) Error during the deployment of java:jboss/datasources/ExampleDS: java.lang.IllegalStateException: WFLYJCA0110: CredentialSourceSupplier is invalid for DSSecurity
Resolution
-
Configure
credential-storeinelytronsubsystem to avoid storing password in plain-text as referenced in article configuring credential-store in Elytron subsystem -
In Managed Domain Mode, the alias to be used for the data-source
credential-referencemust be created for each host rather than just once :-[domain@localhost:9990 /] /host=master/server=server-one/subsystem=elytron/credential-store=cs-store:add-alias(alias=trustore,secret-value=sa) { "outcome" => "success", "result" => undefined }- For Standalone Mode, the below command can be used :-
/subsystem=elytron/credential-store=cs-store:add-alias(alias=trustore,secret-value=sa) { "outcome" => "success", "result" => undefined } -
If you don't then you'll see an error like:
15:46:32,801 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-3) Error during the deployment of java:jboss/datasources/ExampleDS: java.lang.IllegalStateException: WFLYJCA0110: CredentialSourceSupplier is invalid for DSSecurity -
The credential reference of datasource needs to be stored via the JBoss CLI
[standalone@embedded /] batch [standalone@embedded / #] /subsystem=datasources/data-source=testDS:undefine-attribute(name=password) [standalone@embedded / #] /subsystem=datasources/data-source=testDS:write-attribute(name=credential-reference, value={store=cs-store, alias=ds-password}) [standalone@embedded / #] run-batch-
For Managed Domain Mode, prefix this with
/profile=PROFILEsubstituting thePROFILEwith the one being used, such at "ha" or "default". -
The resulting XML is:
<datasource jndi-name="java:jboss/testDS" pool-name="testDS"> <connection-url>jdbc:postgresql://10.10.10.10:5432/db</connection-url> <driver>postgres</driver> <security> <user-name>jboss</user-name> <credential-reference store="newCS" alias="ds-password"/> </security> </datasource>
-
Diagnostic Steps
-
Use the below CLI command to ensure alias used in the
credential-referenceattribute in the data-source is configured in the credential store on each server:[domain@localhost:9990 /] /profile=default/subsystem=elytron/credential-store=keystore:read-aliases() { "outcome" => "success", "result" => undefined, "server-groups" => {"main-server-group" => {"host" => {"master" => {"server-one" => {"response" => { "outcome" => "success", "result" => ["trustore"] }}}}}} }
-
List the aliases with the elytron-tool as well, for example as below:
/opt/EAP-7.5.0/bin/elytron-tool.sh credential-store --location "/opt/EAP-7.5.0/standalone/configuration/my_store.jceks" --aliases Credential store password: Confirm credential store password: Credential store contains following aliases: keystore-pw jboss new_cred_store
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.