we need to be able to update the JBoss password vault password to comply with periodic password rotation security requirements. We must deal w/ this older JBoss vault for now. I can manipulate the constituent keystore pwd (which I believe is the vault pwd) and can prob remask that/store it back in "standalone-full.xml". Wondering what the best practice is tho, or if there's a better - or (JBoss) prescribed - way to do this.
Thx!
Related
We have a bunch of Windows server applications that currently handle secrets as follows; our apps are in C#.
We store them in settings files in code
We store them encrypted, using a certificate
The servers have this certificate with the private key, so they can decrypt the secret
We're looking at implementing Hashicorp Vault. It seems easy enough to simply replace the encrypt-store-decrypt with storing the secret in Vault in the KV engine, and just grabbing it in our apps - that takes that certificate out of the picture entirely. Since we're on-prem, I'll need to figure out our auth method.
We have different apps running on different machines, and it's somewhat dynamic (not as much as an autoscaling scenario, but not permanent - so we can't just assign servers to roles one time and depend on Kerberos auth).
I'm unsure how to make AppRole work in our scenario. We don't have one of the example "trusted platforms" or "trusted entities", there's no Nomad, Chef, Terraform, etc. We have Windows machines, in a domain, and we have a homegrown orchestrator that could be queried to say "This machine name runs these apps", so maybe there's something that can be done there?
Am I in "write your own auth plugin" territory, to speak to our homegrown orchestrator?
Edit - someone on Reddit suggested that this is a simple solution if our apps are all 1-to-1 with the Windows domain account they run under, because then we can just use kerb authentication. That's not currently the way we're architected, but we've got to solve this somehow, and that might do it nicely.
2nd edit - replaced "services" with "apps", since most of our services aren't actually running as Windows services, just processes. The launcher is a Windows service but the individual processes it launches are not.
How about Group Managed Service Accounts?
https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
Essentially you created one "trusted platform" (to your key vault service).
Your service can still has its own identity but delegation to the gMSA when you want to retrieve the secrets.
For future visibility, here's what we landed on:
TLS certificate authentication. Using Vault, we issue a handful of certs, each will correspond to a security policy/profile, so that any machine that holds that certificate will be able to authenticate and retrieve the secrets they should have access to.
Kerberos ended up being a dead-end for two reasons. The vault.exe agent (which is part of this use case) can't use the native Windows Kerberos SSPI, so we'd have to manage and distribute keytab files. Also, if we used machine authentication, it would blow up our client count (we're using the cloud-hosted HCP Vault, where pricing is partially based on client count).
Custom plugins can't be loaded into the HCP, of course
Azure won't work, it requires Managed Identities which you can't assign to on-prem machines. Otherwise this might have been a great fit
I have a credential store temp.jceks in code repository with default application passwords for developers.
When a production build is generated, the store is added in windows installer.
While installation, I need to change the store password to something else?
I know the java keystore password can be changed using keytool, so inn similar line, I was hoping the wildfly credential store password can also be changed but I do not see any option to do so with these information below.
https://wildscribe.github.io/WildFly/11.0/subsystem/elytron/credential-store/index.html
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/how_to_configure_server_security/securely_storing_credentials#credential_store
Any other option to secure the credential store password will be helpful.
Thank you!
No, it does not allow. So I had to read old values, delete the keystore used for development, create a new one with a random password and store back the values. I had to use the same name since its the one configured in standalone.xml and did want to construct standalone.xml dynamically.
Is there any way to change the storage password for an existing Rundeck installation? This is the password referred to in rundeck-config.properties as rundeck.storage.converter.1.config.password and rundeck.config.storage.converter.1.config.password.
I presume it would be a case of going through each stored item, decrypting with the old password, encrypting with the new password, and finally updating the config file, but I'm hoping there's already a tool/script to do this.
thanks!
You must follow these steps for your projects:
Export projects (this script looks useful for do that massively on ZIP file).
Delete all projects. (if you like, via RD CLI or API).
Stop the Rundeck service.
Change the encrypt passwords in the rundeck-config.properties file.
Start the Rundeck service.
And later import projects (if you like, via RD CLI or API).
Now your projects are encrypted with your new password. About the keys, you need to recreate it again.
Advice: test before in some non-prod environment.
I have a spring application running on Jboss. I have passwords that I dont want to store in the DB. Those passwords are used inside the application code e.g. Email account password to send emails via Java mail API.
I would like to store the passwords in the JBoss Vault.
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html/how_to_configure_server_security/securely_storing_credentials#password_vault
My question is does this tool have a java API? Can I store and retrive the password inside my application code?
I know that I can call the vault.bat from my java code, but I was checking for a better idea.
The Vault mechanism
Hello, so you can use the Vault to encrypt the data that are appear on the configuration files of JBoss. You can use for example to encrypt the DB password that you use on the standalone.xml configuration. It is not an API perse.
Application Encryption
That vault mechanism is not appropriate to encrypt application side data, you will need to do this you can follow the answer provided by Johannes Brodwall seems very complete and the complementary answer by user1007231 will help you with the Master password.
Credential Store
As the Guide Suggests on 3.1 Credential Store, it is recommended to use a Credential Store.
We are using Java Kerberos authentication to connect to our SQL Server DB from Linux. Here we had used the prinicipal name and the password to generate a keytab file on the Linux system. Currently the connectivity works fine.
But there has been an additional requirement to use expiring passwords, which expire every 3 months. In our other applications we use an API called CyberArk which retrieves the password from a vault and Ops team need not bother about changing the password on the application server located on the Linux system.
Does anyone have any experience on using Kerberos in such an enironment? We are basically looking at avoiding to regenerate the keytab file every time the password expires.
I don't think you can avoid to regenerate the keytab file in the event of password change or expiring. What you can do, however, is to make it painless to generate the keytab file on the Linux server. this require the Linux server joining the Active Directory, using RHEL native tool realm or Centrify software.
RHEL tool document is here https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/realmd-domain
For Centrify user, https://community.centrify.com/t5/Centrify-Express/Replace-SSH-Keys-with-Kerberos-Keytabs/td-p/10112