0

All of the Wildfly (and JBoss AS) docs and Glassfish-to-Wildfly migration examples I've seen use a JDBCrealm requiring database setup and some other config file fiddling.

Q: Is there any equivalent to the simple Glassfish file realm and keyfile in Wildfly ?

[EDIT: more explanation of built-in functionality I seek.]

In the Glassfish browser Administration Console one can go to Configurations > Security > Realms > file and then Manage Users to add new users with a name, group list, and password (for it to encrypt and store easily for you in the keyfile). The asadmin command similarly offers create-file-user to create an entry in the keyfile. That keyfile can then be simply copied from one install version to another. And any groups mentioned during the process can then be referenced as role strings in the web app configuration.

Webel IT Australia - upvoter
  • 1,756
  • 1
  • 21
  • 34

1 Answers1

1

What exactly are you trying to encrypt here?

For encrypting keystore passwords and similar, what you are looking for is called a vault in Wildfly. See https://developer.jboss.org/wiki/MaskingPasswordsForWildFlyUsingNon-interactiveVaultTool.

If you are looking for a way to encrypt datastore passwords specifically, you need to use picketbox to encrypt the passwords beforehand, and use a security domain in the security subsystem for each datastore.

Example script to encrypt password:

#!/bin/bash

PASSWORD=$1

if [ -z "$PASSWORD" ]; then
  echo "Usage: `basename $0` <password>"
  exit 1
fi

JAVA_HOME="${JAVA_HOME:=/usr/java/default}"

cd /opt/wildfly/modules/system/layers/base/org/picketbox/main
$JAVA_HOME/bin/java -classpath picketbox-4.0.21.Beta1.jar \
   org.picketbox.datasource.security.SecureIdentityLoginModule $PASSWORD \
   | sed -e 's#Encoded password: ##'

Example security-domain

<subsystem xmlns="urn:jboss:domain:security:1.2">
  <security-domains>
  ...
    <security-domain name="my_security_domain" cache-type="default">
      <authentication>
        <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
          <module-option name="username" value="my_username"/>
          <module-option name="password" value="my_encrypted_password"/>
          <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=my_datasource"/>
        </login-module>
      </authentication>
    </security-domain>
  </security-domains>
</subsystem>

And in the datasource definition reference it with

<subsystem xmlns="urn:jboss:domain:datasources:3.0">
  </datasources>
    <datasource pool-name="my_datasource"...>
    ...
    <security>
      <security-domain>my_security_domain</security-domain>
    </security>
  </datasource>
</subsystem>
T. Kuther
  • 610
  • 3
  • 7
  • Thanks for your reply and effort, but my aim and the purpose of my question is simpler than your answer indicates. In the Glassfish browser Administration Console one can go to `Configurations > Security > Realms > file` and then `Manage Users` to add new users with a name, group list, and password (for it to encrypt and store *easily* in the `keyfile`). The `asadmin` command similarly offers `create-file-user` to create an entry in the keyfile. The keyfile can then be simply copied between installs. The answer to my question would seem so far to be "no, there is no equivalent" – Webel IT Australia - upvoter Sep 22 '16 at 00:49
  • 1
    OK, a totally different issue then. Wildfly has a default ApplicationRealm, and you can add users and groups to it via Admin console -> Access Control (or on the shell with add-user.sh). This results in two files mgmt-groups.properties and mgmt-users.properties which you can copy to new installs (we use that for puppet setups). Is that what you're looking for? – T. Kuther Sep 26 '16 at 13:04