How do I configure Elytron credential-store in JBoss EAP for OpenShift?

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 8
- 7.4
Red Hat OpenShift Container Platform
- 4.x

Issue

How do I configure Elytron credential-store in JBoss EAP for OpenShift?
If we store the credentials of the data source in Secret and reference it in the EAP Pod via an environment variable, then users with oc rsh access to the EAP Pod can see the DB password in plain text. Is there any way to set up a data source without including a clear text DB password in the EAP Pod?

Resolution

By creating a keystore for Elytron credential-store using elytron-tool.sh command outside of the OCP environment in advance and mounting the keystore as a Secret, you can use the Elytron credential-store in EAP for OpenShift. Here are steps:

Create a keystore for Elytron credential-store by elytron-tool.sh outside of the OCP environment. See related document about elytron-tool.sh: 4.1.5. Credential store operations using the WildFly Elytron tool

$ jboss-eap-7.4/bin/elytron-tool.sh credential-store --create --location=jboss-eap-7.4/standalone/configuration/mycredstore.keystore
Credential store password: storepass
Confirm credential store password: storepadd
Credential Store has been successfully created

Add a new credential postgres as DB password with an alias of database-pw to the keystore:

  $ jboss-eap-7.4/bin/elytron-tool.sh credential-store --add=database-pw --secret=postgres --location=jboss-eap-7.4/standalone/configuration/mycredstore.keystore --password=storepass
Alias "database-pw" has been successfully stored

Generate masked encrypted storepass:

  $ jboss-eap-7.4/bin/elytron-tool.sh mask --salt 12345678 --iteration 10000 --secret storepass
MASK-0gpxP/t3eC8GTmfX47S.9B;12345678;10000

$ oc create secret generic mycredstore --from-file jboss-eap-7.4/standalone/configuration/mycredstore.keystore
secret/mycredstore created

Mount the keystore file to /opt/eap/standalone/configuration/mycredstore.keystore:

  $ oc set volume dc/<deployment-config-name> --add --name=mycredstore-volume --type=secret --secret-name=mycredstore --mount-path=/opt/eap/standalone/configuration/mycredstore.keystore --sub-path=mycredstore.keystore 
deploymentconfig.apps.openshift.io/<deployment-config-name> volume updated

Configure standalone-openshift.xml as the following example to set the credential-store as the DB password:

$ diff -u standalone-openshift.xml.original standalone-openshift.xml 
--- standalone-openshift.xml.original	2021-12-07 04:34:12.000000000 +0900
+++ standalone-openshift.xml	2022-01-17 17:38:26.835364219 +0900
@@ -140,10 +140,32 @@
         <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
         <subsystem xmlns="urn:jboss:domain:datasources:6.0">
             <datasources>
+                <datasource jndi-name="java:jboss/datasources/PostgresDS" pool-name="PostgresDS">
+                    <connection-url>jdbc:postgresql://***.***.***.***:5432/test</connection-url>
+                    <driver>postgresql</driver>
+                    <pool>
+                        <min-pool-size>10</min-pool-size>
+                        <initial-pool-size>10</initial-pool-size>
+                        <max-pool-size>10</max-pool-size>
+                        <prefill>true</prefill>
+                    </pool>
+                    <security>
+                        <user-name>postgres</user-name>
+                        <credential-reference store="my_store" alias="database-pw"/>
+                    </security>
+                    <validation>
+                        <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"/>
+                        <validate-on-match>true</validate-on-match>
+                        <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"/>
+                    </validation>
+                </datasource>
                 <drivers>
                     <driver name="h2" module="com.h2database.h2">
                         <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                     </driver>
+                    <driver name="postgresql" module="org.postgresql">
+                        <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
+                    </driver>
                 </drivers>
             </datasources>
         </subsystem>
@@ -344,6 +366,11 @@
                     <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                 </server-ssl-contexts>
             </tls>
+            <credential-stores>
+                <credential-store name="my_store" relative-to="jboss.server.config.dir" path="mycredstore.keystore" create="false">
+                    <credential-reference clear-text="MASK-0gpxP/t3eC8GTmfX47S.9B;12345678;10000"/>
+                </credential-store>
+            </credential-stores>
         </subsystem>
         <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
         <subsystem xmlns="urn:jboss:domain:infinispan:12.0">

SBR

JBoss Security

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

JBoss EAP for OpenShift

Tags

jboss_eap

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.