The original answer I provided only applies to WildFly 23 or newer. I'll leave it below the correct answer for reference.
You'll want to use a credential store, which encrypts the contents with a Java KeyStore. The linked documentation goes into details, but this example class shows how you can retrieve the contents of the credential store.
To secure the credential store password itself, you have a few options:
- Read the password from the output of a shell command (source code). This is the only method I recommend, since the password cannot be stored in the configuration file. For example, this CLI command would create the credential store using an environment variable as password:
[standalone@localhost:9990 /] /subsystem=elytron/credential-store=cs:add(location=credstore.cs,relative-to=jboss.server.config.dir,\
credential-reference={type=command,clear-text="echo $SECURE_ENV_VAR"},create=true)
- Store the password in plain text. Given the constraints, this isn't a realistic option.
- Using Elytron Tool, you can create a credential store with a hashed-and-salted password. However, this is a purely compatibility feature, and the algorithm used (
PBEwithMD5andDES) is now brute-forceable, so I don't recommend it, and won't include instructions on how to do so.
If you're able to upgrade to WildFly 23 or newer, you'll have access to a more secure option, as defined below.
As for adding the LDAP credentials (and securing the password for the credential store itself), this blog post explains how to use them with encrypted expressions. This allows you to store an encrypted copy of the credential store's password in the server configuration.
Note: although it may seem like you can use an encrypted expression directly to store the LDAP credentials, it will not be resolved in a non-secure context, and likely won't work in the Java class.
