如何在Wildfly中加密bindCredential密码? [英] How do I encrypt the bindCredential password in Wildfly?
本文介绍了如何在Wildfly中加密bindCredential密码?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在设法在Wildfly(8.2.1)中配置一个安全域,以绑定到我们的Active Directory。我需要尝试找到一种加密bindCredential密码的方法。
我可以使用Picketbox加密数据源密码。
我只能找出对JBoss V6.x或以前进行此加密,并且使用的方法在Wildfly中似乎不再存在。
有没有人这样做,愿意分享如何完成。
这是我的安全域:
< security-domain name =ADDomaincache-type =default>
< authentication>
< login-module code =org.jboss.security.auth.spi.LdapExtLoginModuleflag =required>
< module-option name =java.naming.provider.urlvalue =ldap://ad.mycompany.com:389 //>
< module-option name =bindDNvalue =cn = myuserid/>
< module-option name =bindCredentialvalue =mypassword/> < ---我想加密这个。
< module-option name =java.naming.factory.initialvalue =com.sun.jndi.ldap.LdapCtxFactory/>
< module-option name =java.naming.security.authenticationvalue =simple/>
< module-option name =baseCtxDNvalue =dc = mycompany,dc = com/>
< module-option name =baseFiltervalue =(uid = {0})/>
< module-option name =rolesCtxDNvalue =dc = mycompany,dc = com/>
< module-option name =roleFiltervalue =(uniqueMember = {1})/>
< module-option name =roleAttributeIDvalue =cn/>
< module-option name =roleNameAttributeIDvalue =cn/>
< module-option name =roleRecursionvalue =0/>
< module-option name =throwValidateErrorvalue =true/>
< module-option name =java.naming.referralvalue =follow/>
< module-option name =referralUserAttributeIDToCheckvalue =uniqueMember/>
< / login-module>
< / authentication>
< / security-domain>
解决方案
使用安全仓库 。您可以在章节中找到关于密码库在JBoss EAP文档中 - WildFly的配置应该相同。
一般来说,您需要执行以下步骤。 >
- 使用密钥创建JCEKS密钥库
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 \
-storepass vault22 -keypass vault22 \
-dname CN = vault,O = ACME,C = CZ\
-keystore /path/to/vault.keystore
- 创建保管库目录,创建保管库本身并将密码放入其中
mkdir / path / to / vault-data-dir
$ {JBOSS_HOME} /bin/vault.sh -a passa -b LdapLogin \
-e / path / to / vault-data-dir \
-i 22 -k /path/to/vault.keystore -p vault22 -s 87654321 -v vault \
-x mypassword
- 在WildFly中配置保管库:
$ {JBOSS_HOME} /bin/jboss-cli.sh \
-c'/ core-service = vault:add vault-options = [(KEYSTORE_URL=> /path/to/vault.keystore),(KEYSTORE_PASSWORD=>MASK-Ci5JS1kjxPX),(KEYSTORE_ALIAS="vault),(SALT="87654321 (ITERATION_COUNT=>22),(ENC_FILE_DIR=>/ path / to / vault-data-dir /)])'
- 在登录模块中使用保管库密码
< module-option name =bindCredentialvalue =$ {VAULT :: LdapLogin :: passa :: 1} />
I am trying to configure an security domain in Wildfly (8.2.1) for binding to our Active Directory. I need to try to find a way to encrypt the bindCredential password. I am able to encrypt the data source passwords just fine using Picketbox. I only could find out to do this encryption for JBoss V6.x or before and the method employed doesn't seem to exist any longer in Wildfly. Has anyone done this and willing to share how it can be accomplished.
Here is my security domain:
<security-domain name="ADDomain" cache-type="default"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <module-option name="java.naming.provider.url" value="ldap://ad.mycompany.com:389/"/> <module-option name="bindDN" value="cn=myuserid"/> <module-option name="bindCredential" value="mypassword"/> <--- I want to encrypt this. <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="baseCtxDN" value="dc=mycompany,dc=com"/> <module-option name="baseFilter" value="(uid={0})"/> <module-option name="rolesCtxDN" value="dc=mycompany,dc=com"/> <module-option name="roleFilter" value="(uniqueMember={1})"/> <module-option name="roleAttributeID" value="cn"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="roleRecursion" value="0"/> <module-option name="throwValidateError" value="true"/> <module-option name="java.naming.referral" value="follow"/> <module-option name="referralUserAttributeIDToCheck" value="uniqueMember"/> </login-module> </authentication> </security-domain>
解决方案Use the Security Vault. You can find a chapter about Password Vaults in the JBoss EAP documentation - the configuration should be the same for WildFly.
In general, you need to do following steps.
- Create JCEKS keystore with a secret key
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 \ -storepass vault22 -keypass vault22 \ -dname "CN=vault, O=ACME, C=CZ" \ -keystore /path/to/vault.keystore
- Create a Vault directory, create the vault itself and put your password into it
mkdir /path/to/vault-data-dir ${JBOSS_HOME}/bin/vault.sh -a passa -b LdapLogin \ -e /path/to/vault-data-dir \ -i 22 -k /path/to/vault.keystore -p vault22 -s 87654321 -v vault \ -x mypassword
- Configure vault in the WildFly:
${JBOSS_HOME}/bin/jboss-cli.sh \ -c '/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/path/to/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-Ci5JS1kjxPX"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "87654321"),("ITERATION_COUNT" => "22"), ("ENC_FILE_DIR" => "/path/to/vault-data-dir/")])'
- Use the vaulted password in your login module
<module-option name="bindCredential" value="${VAULT::LdapLogin::passa::1}"/>
这篇关于如何在Wildfly中加密bindCredential密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
