如何在 Wildfly 中加密 bindCredential 密码? [英] How do I encrypt the bindCredential password in Wildfly?

问题描述

我正在尝试在 Wildfly (8.2.1) 中配置安全域以绑定到我们的 Active Directory.我需要尝试找到一种方法来加密 bindCredential 密码.我可以使用 Picketbox 很好地加密数据源密码.我只能找到对 JBoss V6.x 或更早版本进行这种加密，并且所采用的方法在 Wildfly 中似乎不再存在.有没有人做过这个并愿意分享它是如何实现的.

I am trying to configure an security domain in Wildfly (8.2.1) for binding to our Active Directory. I need to try to find a way to encrypt the bindCredential password. I am able to encrypt the data source passwords just fine using Picketbox. I only could find out to do this encryption for JBoss V6.x or before and the method employed doesn't seem to exist any longer in Wildfly. Has anyone done this and willing to share how it can be accomplished.

这是我的安全域:

    <security-domain name="ADDomain" cache-type="default">
            <authentication>
                    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                            <module-option name="java.naming.provider.url" value="ldap://ad.mycompany.com:389/"/>
                            <module-option name="bindDN" value="cn=myuserid"/>
                            <module-option name="bindCredential" value="mypassword"/> <--- I want to encrypt this. 
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="baseCtxDN" value="dc=mycompany,dc=com"/>
                            <module-option name="baseFilter" value="(uid={0})"/>
                            <module-option name="rolesCtxDN" value="dc=mycompany,dc=com"/>
                            <module-option name="roleFilter" value="(uniqueMember={1})"/>
                            <module-option name="roleAttributeID" value="cn"/>
                            <module-option name="roleNameAttributeID" value="cn"/>
                            <module-option name="roleRecursion" value="0"/>
                            <module-option name="throwValidateError" value="true"/>
                            <module-option name="java.naming.referral" value="follow"/>
                            <module-option name="referralUserAttributeIDToCheck" value="uniqueMember"/>
                    </login-module>
            </authentication>
    </security-domain>

推荐答案

使用 Security Vault.您可以找到章节关于 JBoss EAP 文档中的 Password Vaults - WildFly 的配置应该相同.

Use the Security Vault. You can find a chapter about Password Vaults in the JBoss EAP documentation - the configuration should be the same for WildFly.

一般情况下，您需要执行以下步骤.

In general, you need to do following steps.

1. 使用密钥创建 JCEKS 密钥库

keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 
    -storepass vault22 -keypass vault22 
    -dname "CN=vault, O=ACME, C=CZ" 
    -keystore /path/to/vault.keystore

1. 创建一个 Vault 目录，创建 Vault 本身并将您的密码放入其中

mkdir /path/to/vault-data-dir
${JBOSS_HOME}/bin/vault.sh -a passa -b LdapLogin 
    -e /path/to/vault-data-dir 
    -i 22 -k /path/to/vault.keystore -p vault22 -s 87654321 -v vault 
    -x mypassword

1. 在 WildFly 中配置保险库:

${JBOSS_HOME}/bin/jboss-cli.sh 
    -c '/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/path/to/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-Ci5JS1kjxPX"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "87654321"),("ITERATION_COUNT" => "22"), ("ENC_FILE_DIR" => "/path/to/vault-data-dir/")])'

1. 在登录模块中使用受保护的密码

<module-option name="bindCredential" value="${VAULT::LdapLogin::passa::1}"/>

这篇关于如何在 Wildfly 中加密 bindCredential 密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！