How do I encrypt the bindCredential password in Wildfly?

Question

I am trying to configure an security domain in Wildfly (8.2.1) for binding to our Active Directory. I need to try to find a way to encrypt the bindCredential password. I am able

Answer 1

Use the Security Vault. You can find a chapter about Password Vaults in the JBoss EAP documentation - the configuration should be the same for WildFly.

In general, you need to do following steps.

1. Create JCEKS keystore with a secret key

keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 \
    -storepass vault22 -keypass vault22 \
    -dname "CN=vault, O=ACME, C=CZ" \
    -keystore /path/to/vault.keystore

2. Create a Vault directory, create the vault itself and put your password into it

mkdir /path/to/vault-data-dir
${JBOSS_HOME}/bin/vault.sh -a passa -b LdapLogin \
    -e /path/to/vault-data-dir \
    -i 22 -k /path/to/vault.keystore -p vault22 -s 87654321 -v vault \
    -x mypassword

3. Configure vault in the WildFly:

${JBOSS_HOME}/bin/jboss-cli.sh \
    -c '/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/path/to/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-Ci5JS1kjxPX"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "87654321"),("ITERATION_COUNT" => "22"), ("ENC_FILE_DIR" => "/path/to/vault-data-dir/")])'

4. Use the vaulted password in your login module

<module-option name="bindCredential" value="${VAULT::LdapLogin::passa::1}"/>