Reputation: 21
wildfly: How to use encrypted password for a xa-datasource?
I have a wildfly 8.2.0.Final running. I use two oracle datasources, one <datasource> and one <xa-datasource>. I want to have my DB passwords encrypted and managed to do that for the datasource using a security-domain but not for the xa-datasource. I haven't found documentation or other postings with a solution for this problem.
Here is what I've done:
<datasources>
<datasource jta="false" jndi-name="java:/myproject/jdbc/datasources/jdbc" pool-name="my_JDBC_DS" enabled="true" use-ccm="false">
<connection-url>jdbc:oracle:thin:@localhost:1521:DB</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<driver>oracle</driver>
<pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
</pool>
<security>
<security-domain>databaseSecure</security-domain>
</security>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
</datasource>
<xa-datasource jndi-name="java:/myproject/jdbc/datasources/db_tx" pool-name="MYTXDS" enabled="true" use-ccm="false">
<xa-datasource-property name="URL">
jdbc:oracle:thin:@localhost:1521:DB
</xa-datasource-property>
<xa-datasource-property name="User">
scott
</xa-datasource-property>
<xa-datasource-property name="Password">
tiger
</xa-datasource-property>
<driver>oracle</driver>
<security>
<user-name>scott</user-name>
<password>tiger</password>
</security>
<xa-pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
<wrap-xa-resource>false</wrap-xa-resource>
</xa-pool>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
<statement>
<prepared-statement-cache-size>32</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</xa-datasource>
<drivers>
<driver name="oracle" module="oracle">
<xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
...
<security-domain name="databaseSecure" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="scott"/>
<module-option name="password" value="-170dd0fbd8c13748"/>
</login-module>
</authentication>
</security-domain>
I've tried removing the xa-datasource-property entries for user and password and referring to the security-domain both nested in the security-tag and on the same level as the properties. Both attempts did not work, with the latter the wildfly exits early because of problems parsing the standalone.xml, with the latter the deployment fails.
To show the most promising attempt, this is how I tried to refer to the security-domain:
<xa-datasource jndi-name="java:/myproject/jdbc/datasources/db_tx" pool-name="MYTXDS" enabled="true" use-ccm="false">
<xa-datasource-property name="URL">
jdbc:oracle:thin:@localhost:1521:DB
</xa-datasource-property>
<driver>oracle</driver>
<security>
<security-domain>databaseSecure</security-domain>
</security>
<xa-pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
<wrap-xa-resource>false</wrap-xa-resource>
</xa-pool>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
<statement>
<prepared-statement-cache-size>32</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</xa-datasource>
Doing that the wildfly runs into a javax.resource.ResourceException: No matching credentials in Subject!
I've debugged into the code and although I'm missing the code for the last few classes in the call stack I see that the Subject actually has the credentials as properties but still the AccessController.doPrivilegedcall fails, leading to the above mentioned exception.
You see I'm kind of lost, any suggestions?
Upvotes: 0
Views: 3887
Answers (3)
Reputation: 49
i disabled caching of security-domain by removing cache-type="default" from security-domain in standalone.xml and it works for me This happens where multiple datasources are defined backed by the same security domain, - Either make separte security-domain for each datasource or - if a security domain is to be used with multiple datasources then no caching should be enabled for that domain, this means that each time the PasswordCredential is obtained from the security domain it will be a new instance and do do this remove cache-type="default" from security-domain in standalone.xml
https://bugzilla.redhat.com/show_bug.cgi?id=1103684
Upvotes: 0
Reputation: 21
I figured it out what I did wrong (by debugging wildfly and staring hard at my working JBoss 4 config..). In my security-domain configuration I had only set username and password. To make it work I needed to ad the "managedConnectionFactoryName" as well and declare a security-domain for each data source.
I now have the following configuration:
<datasources>
<datasource jta="false" jndi-name="java:/myproject/jdbc/datasources/jdbc" pool-name="my_JDBC_DS" enabled="true" use-ccm="false">
<connection-url>jdbc:oracle:thin:@localhost:1521:DB</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<driver>oracle</driver>
<pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
</pool>
<security>
<security-domain>jdbcDatabaseSecure</security-domain>
</security>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
</datasource>
<xa-datasource jndi-name="java:/myproject/jdbc/datasources/db_tx" pool-name="MYTXDS" enabled="true" use-ccm="false">
<xa-datasource-property name="URL">
jdbc:oracle:thin:@localhost:1521:DB
</xa-datasource-property>
<driver>oracle</driver>
<security>
<security-domain>txDatabaseSecure</security-domain>
</security>
<xa-pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
<wrap-xa-resource>false</wrap-xa-resource>
</xa-pool>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
<statement>
<prepared-statement-cache-size>32</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</xa-datasource>
<drivers>
<driver name="oracle" module="oracle">
<xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
...
<security-domain name="jdbcDatabaseSecure" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="scott"/>
<module-option name="password" value="-170dd0fbd8c13748"/>
<module-option name = "managedConnectionFactoryName" value="jdbcDatabaseSecure" />
</login-module>
</authentication>
</security-domain>
<security-domain name="txDatabaseSecure" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="scott"/>
<module-option name="password" value="-170dd0fbd8c13748"/>
<module-option name = "managedConnectionFactoryName" value="txDatabaseSecure" />
</login-module>
</authentication>
</security-domain>
And now it works.
Upvotes: 2
Reputation: 11
I had the same issue when trying to configure xa-datasource with an encrypted security-domains. After struggling a while, I configured vault encryption as described in this guide https://developer.jboss.org/wiki/JBossAS7SecuringPasswords and it works sucessfully with both datasources and xa-datasources.
Hope this helps.
Upvotes: 0
Related Questions
- How do I encrypt the bindCredential password in Wildfly?
- Using OS system variable for @DataSourceDefinition password failed in Wildfly 18
- How to add a datasource with encrypted password in WildFly Swarm with .war packaging?
- Wildfly - set datasource password at runtime
- Wildfly: Encrypt password and username for database
- Wildfly digest login-config with database login module
- WildFly datasource password protection
- How can I encrypt keystore password in wildlfy8
- Encrypting Datasource password for JBOSS and Tomcat6
- How to use encrypted password in apache BasicDataSource?