I am trying to configure an security domain in Wildfly (8.2.1) for binding to our Active Directory. I need to try to find a way to encrypt the bindCredential password. I am able to encrypt the data source passwords just fine using Picketbox. I only could find out to do this encryption for JBoss V6.x or before and the method employed doesn't seem to exist any longer in Wildfly. Has anyone done this and willing to share how it can be accomplished.
Here is my security domain:
<security-domain name="ADDomain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url" value="ldap://ad.mycompany.com:389/"/>
<module-option name="bindDN" value="cn=myuserid"/>
<module-option name="bindCredential" value="mypassword"/> <--- I want to encrypt this.
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="baseCtxDN" value="dc=mycompany,dc=com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="dc=mycompany,dc=com"/>
<module-option name="roleFilter" value="(uniqueMember={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="java.naming.referral" value="follow"/>
<module-option name="referralUserAttributeIDToCheck" value="uniqueMember"/>
</login-module>
</authentication>
</security-domain>
Use the Security Vault . You can find a chapter about Password Vaults in the JBoss EAP documentation - the configuration should be the same for WildFly.
In general, you need to do following steps.
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 \
-storepass vault22 -keypass vault22 \
-dname "CN=vault, O=ACME, C=CZ" \
-keystore /path/to/vault.keystore
mkdir /path/to/vault-data-dir
${JBOSS_HOME}/bin/vault.sh -a passa -b LdapLogin \
-e /path/to/vault-data-dir \
-i 22 -k /path/to/vault.keystore -p vault22 -s 87654321 -v vault \
-x mypassword
${JBOSS_HOME}/bin/jboss-cli.sh \
-c '/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/path/to/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-Ci5JS1kjxPX"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "87654321"),("ITERATION_COUNT" => "22"), ("ENC_FILE_DIR" => "/path/to/vault-data-dir/")])'
<module-option name="bindCredential" value="${VAULT::LdapLogin::passa::1}"/>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.