Hardening WildFly Configuration

Created by kylin.1st, Dec

Agenda

  • Delivering your configuration using property files
  • Securing your configuration hashing passwords
  • Securing and protecting passwords using a vault

Delivering your configuration using property files

            
//
$ cp -a standalone sec-std-cfg-node-1

create a property file named “wildflycookbook.properties”, and add the following property and value:
jboss.bind.address=10.0.0.1

# sudo ifconfig em1:1 10.0.0.1 netmask 255.255.255.0

$ ./bin/standalone.sh -Djboss.server.base.dir=sec-std-cfg-node-1 -P wildflycookbook.properties
  • Test & Verify
    • Search log like 'Undertow HTTP listener default listening on /10.0.0.1:8080'

Usage example: Split DB connection parameters from DataSource configuration

            
//

    
    ${db.prod.conn.url}
    mysql
    
	${db.prod.uid}
	${db.prod.pwd}
    
    
    


The following added in a properties:
    db.prod.conn.url=jdbc:mysql://mysql-prod-cluster-node-1:3306/store
    db.prod.uid=root
    dp.prod.pwd=password

Securing your configuration hashing passwords

            
//
$ cp -a standalone sec-std-cfg-node-2

$ java -cp modules/system/layers/base/org/picketbox/main/picketbox-4.0.21.Final.jar 
org.picketbox.datasource.security.SecureIdentityLoginModule password
Encoded password: 5dfc52b51bd35553df8592078de921bc

Create a security domain

            
//

reference the security domain

            
//

    jdbc:mysql://mysql-prod-cluster-node-1:3306/store
    mysql
    
        encrypted-security-domain
  • More Usage Senario
    • login-module
    • JMS Queues and Topics

Securing and protecting password using a vault

            
//
$ cd $JBOSS_HOME
$ cp -a standalone sec-std-cfg-node-3

$ cd sec-std-node-3/configuration
$ mkdir vault
$ cd vault
$ keytool -v -genkey -alias wildfly.vault -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keystore wildfly.vault.keystore
$ keytool -list -v -keystore wildfly.vault.keystore
$ ../../../bin/vault.sh -a PASSWORD -x password -b DB-PROD -i 50 -k wildfly.vault.keystore -p redhat -s 86427531 -v wildfly.vault


    jdbc:mysql://mysql-prod-cluster-node-1:3306/store
    mysql
    
        root
        ${VAULT::DB-PROD::PASSWORD::1}
    


$ ./bin/standalone.sh -Djboss.server.base.dir=sec-std-cfg-node-3

More about valt commands

            
//
$ ./bin/vault.sh --help
usage: vault.sh  |  [-a ] [-b ] -c | -h | -x  [-e
       ]  [-i ] [-k ] [-p ] [-s ] [-v ]
 -a,--attribute            Attribute name
 -b,--vault-block          Vault block
 -c,--check-sec-attr            Check whether the secured attribute
                                already exists in the Vault
 -e,--enc-dir              Directory containing encrypted files
 -h,--help                      Help
 -i,--iteration            Iteration count
 -k,--keystore             Keystore URL
 -p,--keystore-password    Keystore password
 -s,--salt                 8 character salt
 -v,--alias                Vault keystore alias
 -x,--sec-attr             Secured attribute value (such as
                                password)to store
  • Test & Verify
    • Start Wildfly Use Cli check the db connection

THE END