Inline Expression Encryption - Long Chain Example Commands

command.txt

# Command Line Tools

# Password - KeyStoreOnePassword
keytool -genkeypair -alias test -keystore keystoreone.keystore

# Password CredentialStoreOnePassword - Storing KeyStoreOnePassword
java -jar ~/src/2021/wildfly-elytron/tool/target/wildfly-elytron-tool-1.15.0.CR2-SNAPSHOT.jar credential-store --create --location credentialstoreone.credentialstore --add keystoreone

# Password CredentialStoreTwoPassword - Storing CredentialStoreOnePassword
java -jar ~/src/2021/wildfly-elytron/tool/target/wildfly-elytron-tool-1.15.0.CR2-SNAPSHOT.jar credential-store --create --location credentialstoretwo.credentialstore --add credentialstoreone

# Import Secret Key - RUxZAUvbqIT70PICC8d5LHg4HBMe32WzwfU1i0MpqHbRKZx0Sg==
java -jar ~/src/2021/wildfly-elytron/tool/target/wildfly-elytron-tool-1.15.0.CR2-SNAPSHOT.jar credential-store --create --location credentialstorethree.credentialstore -type PropertiesCredentialStore --import-secret-key secretkey

# Server CLI Commands

###########################################################################################################
# NOTE: This step by step approach would be bad in the real world as backup versions of the configuration #
#       will remain for the intermediate steps containing the clear text passwords.                       #
###########################################################################################################

/subsystem=elytron/key-store=keystoreone:add(relative-to=jboss.server.config.dir, path=keystoreone.keystore, credential-reference={clear-text=KeyStoreOnePassword})
/subsystem=elytron/key-store=keystoreone:read-aliases

/subsystem=elytron/credential-store=credentialstoreone:add(relative-to=jboss.server.config.dir, location=credentialstoreone.credentialstore, credential-reference={clear-text=CredentialStoreOnePassword})
/subsystem=elytron/credential-store=credentialstoreone:read-aliases

/subsystem=elytron/key-store=keystoreone:write-attribute(name=credential-reference, value={store=credentialstoreone, alias=keystoreone})

:reload

/subsystem=elytron/credential-store=credentialstoretwo:add(relative-to=jboss.server.config.dir, location=credentialstoretwo.credentialstore, credential-reference={clear-text=CredentialStoreTwoPassword})
/subsystem=elytron/credential-store=credentialstoretwo:read-aliases

/subsystem=elytron/credential-store=credentialstoreone:write-attribute(name=credential-reference, value={store=credentialstoretwo, alias=credentialstoreone})

:reload

/subsystem=elytron/secret-key-credential-store=credentialstorethree:add(relative-to=jboss.server.config.dir, path=credentialstorethree.credentialstore)

/subsystem=elytron/secret-key-credential-store=credentialstorethree:read-aliases

/subsystem=elytron/expression=encryption:add(default-resolver=Default, resolvers=[{name=Default, credential-store=credentialstorethree,secret-key=secretkey}])

/subsystem=elytron/expression=encryption:create-expression(clear-text=CredentialStoreTwoPassword)

# NOTE: It is not strictly required to use the expression created in the previous step as the secret key
#       was imported in the earlier steps.

/subsystem=elytron/credential-store=credentialstoretwo:write-attribute(name=credential-reference.clear-text, value=${ENC::RUxZAUMQ5KZRMDQdZTmZgTj8/jDPBxW31rA4tSkLwsk4tyahdGySvRCRVseSYJejb3iEBQRf})

:reload

# Double Check All Aliases As Expected

/subsystem=elytron/key-store=keystoreone:read-aliases
/subsystem=elytron/credential-store=credentialstoreone:read-aliases
/subsystem=elytron/credential-store=credentialstoretwo:read-aliases
/subsystem=elytron/secret-key-credential-store=credentialstorethree:read-aliases

domain-commands.txt

# Copy pre-prepared credential stores to {jboss.home}/domain/confitguration

/profile=default/subsystem=elytron/secret-key-credential-store=credentialstorethree:add(relative-to=jboss.domain.config.dir, \
path=credentialstorethree.credentialstore)

/profile=default/subsystem=elytron/expression=encryption:add(default-resolver=Default, resolvers=[{name=Default, \
credential-store=credentialstorethree,secret-key=secretkey}])

/profile=default/subsystem=elytron/credential-store=credentialstoretwo:add(relative-to=jboss.domain.config.dir, \
location=credentialstoretwo.credentialstore, \
credential-reference={clear-text="${ENC::RUxZAUMQ5KZRMDQdZTmZgTj8/jDPBxW31rA4tSkLwsk4tyahdGySvRCRVseSYJejb3iEBQRf}"})

/profile=default/subsystem=elytron/credential-store=credentialstoreone:add(relative-to=jboss.domain.config.dir, \
location=credentialstoreone.credentialstore, credential-reference={store=credentialstoretwo, alias=credentialstoreone})

/profile=default/subsystem=elytron/key-store=keystoreone:add(relative-to=jboss.domain.config.dir, path=keystoreone.keystore, \
credential-reference={store=credentialstoreone, alias=keystoreone})

/server-group=main-server-group:restart-servers

example.xml

<!--
    The resulting XML in the subsystem.
-->

            <credential-stores>
                <credential-store name="credentialstoreone" relative-to="jboss.server.config.dir" location="credentialstoreone.credentialstore">
                    <credential-reference store="credentialstoretwo" alias="credentialstoreone"/>
                </credential-store>
                <credential-store name="credentialstoretwo" relative-to="jboss.server.config.dir" location="credentialstoretwo.credentialstore">
                    <credential-reference clear-text="${ENC::RUxZAUMQ5KZRMDQdZTmZgTj8/jDPBxW31rA4tSkLwsk4tyahdGySvRCRVseSYJejb3iEBQRf}"/>
                </credential-store>
                <secret-key-credential-store name="credentialstorethree" relative-to="jboss.server.config.dir" path="credentialstorethree.credentialstore"/>
            </credential-stores>
            <expression-resolver default-resolver="Default">
                <resolver name="Default" credential-store="credentialstorethree" secret-key="secretkey"/>
            </expression-resolver>

host-commands.txt

# Copy pre-prepared credential stores to {jboss.home}/domain/confitguration

/host=master/subsystem=elytron/secret-key-credential-store=credentialstorethree:add(relative-to=jboss.domain.config.dir, \
path=credentialstorethree.credentialstore)

/host=master/subsystem=elytron/expression=encryption:add(default-resolver=Default, resolvers=[{name=Default, \
credential-store=credentialstorethree,secret-key=secretkey}])

/host=master/subsystem=elytron/credential-store=credentialstoretwo:add(relative-to=jboss.domain.config.dir, \
location=credentialstoretwo.credentialstore, \
credential-reference={clear-text="${ENC::RUxZAUMQ5KZRMDQdZTmZgTj8/jDPBxW31rA4tSkLwsk4tyahdGySvRCRVseSYJejb3iEBQRf}"})

/host=master/subsystem=elytron/credential-store=credentialstoreone:add(relative-to=jboss.domain.config.dir, \
location=credentialstoreone.credentialstore, credential-reference={store=credentialstoretwo, alias=credentialstoreone})

/host=master/subsystem=elytron/key-store=keystoreone:add(relative-to=jboss.domain.config.dir, path=keystoreone.keystore, \
credential-reference={store=credentialstoreone, alias=keystoreone})

/host=master:reload

/host=master/subsystem=elytron/key-store=keystoreone:read-aliases
/host=master/subsystem=elytron/credential-store=credentialstoreone:read-aliases
/host=master/subsystem=elytron/credential-store=credentialstoretwo:read-aliases
/host=master/subsystem=elytron/secret-key-credential-store=credentialstorethree:read-aliases