Last active
February 22, 2021 10:14
-
-
Save darranl/94595ba42f42dfa3a16dbcd0ac0e7db6 to your computer and use it in GitHub Desktop.
Inline Expression Encryption - Long Chain Example Commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Command Line Tools | |
# Password - KeyStoreOnePassword | |
keytool -genkeypair -alias test -keystore keystoreone.keystore | |
# Password CredentialStoreOnePassword - Storing KeyStoreOnePassword | |
java -jar ~/src/2021/wildfly-elytron/tool/target/wildfly-elytron-tool-1.15.0.CR2-SNAPSHOT.jar credential-store --create --location credentialstoreone.credentialstore --add keystoreone | |
# Password CredentialStoreTwoPassword - Storing CredentialStoreOnePassword | |
java -jar ~/src/2021/wildfly-elytron/tool/target/wildfly-elytron-tool-1.15.0.CR2-SNAPSHOT.jar credential-store --create --location credentialstoretwo.credentialstore --add credentialstoreone | |
# Import Secret Key - RUxZAUvbqIT70PICC8d5LHg4HBMe32WzwfU1i0MpqHbRKZx0Sg== | |
java -jar ~/src/2021/wildfly-elytron/tool/target/wildfly-elytron-tool-1.15.0.CR2-SNAPSHOT.jar credential-store --create --location credentialstorethree.credentialstore -type PropertiesCredentialStore --import-secret-key secretkey | |
# Server CLI Commands | |
########################################################################################################### | |
# NOTE: This step by step approach would be bad in the real world as backup versions of the configuration # | |
# will remain for the intermediate steps containing the clear text passwords. # | |
########################################################################################################### | |
/subsystem=elytron/key-store=keystoreone:add(relative-to=jboss.server.config.dir, path=keystoreone.keystore, credential-reference={clear-text=KeyStoreOnePassword}) | |
/subsystem=elytron/key-store=keystoreone:read-aliases | |
/subsystem=elytron/credential-store=credentialstoreone:add(relative-to=jboss.server.config.dir, location=credentialstoreone.credentialstore, credential-reference={clear-text=CredentialStoreOnePassword}) | |
/subsystem=elytron/credential-store=credentialstoreone:read-aliases | |
/subsystem=elytron/key-store=keystoreone:write-attribute(name=credential-reference, value={store=credentialstoreone, alias=keystoreone}) | |
:reload | |
/subsystem=elytron/credential-store=credentialstoretwo:add(relative-to=jboss.server.config.dir, location=credentialstoretwo.credentialstore, credential-reference={clear-text=CredentialStoreTwoPassword}) | |
/subsystem=elytron/credential-store=credentialstoretwo:read-aliases | |
/subsystem=elytron/credential-store=credentialstoreone:write-attribute(name=credential-reference, value={store=credentialstoretwo, alias=credentialstoreone}) | |
:reload | |
/subsystem=elytron/secret-key-credential-store=credentialstorethree:add(relative-to=jboss.server.config.dir, path=credentialstorethree.credentialstore) | |
/subsystem=elytron/secret-key-credential-store=credentialstorethree:read-aliases | |
/subsystem=elytron/expression=encryption:add(default-resolver=Default, resolvers=[{name=Default, credential-store=credentialstorethree,secret-key=secretkey}]) | |
/subsystem=elytron/expression=encryption:create-expression(clear-text=CredentialStoreTwoPassword) | |
# NOTE: It is not strictly required to use the expression created in the previous step as the secret key | |
# was imported in the earlier steps. | |
/subsystem=elytron/credential-store=credentialstoretwo:write-attribute(name=credential-reference.clear-text, value=${ENC::RUxZAUMQ5KZRMDQdZTmZgTj8/jDPBxW31rA4tSkLwsk4tyahdGySvRCRVseSYJejb3iEBQRf}) | |
:reload | |
# Double Check All Aliases As Expected | |
/subsystem=elytron/key-store=keystoreone:read-aliases | |
/subsystem=elytron/credential-store=credentialstoreone:read-aliases | |
/subsystem=elytron/credential-store=credentialstoretwo:read-aliases | |
/subsystem=elytron/secret-key-credential-store=credentialstorethree:read-aliases | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copy pre-prepared credential stores to {jboss.home}/domain/confitguration | |
/profile=default/subsystem=elytron/secret-key-credential-store=credentialstorethree:add(relative-to=jboss.domain.config.dir, \ | |
path=credentialstorethree.credentialstore) | |
/profile=default/subsystem=elytron/expression=encryption:add(default-resolver=Default, resolvers=[{name=Default, \ | |
credential-store=credentialstorethree,secret-key=secretkey}]) | |
/profile=default/subsystem=elytron/credential-store=credentialstoretwo:add(relative-to=jboss.domain.config.dir, \ | |
location=credentialstoretwo.credentialstore, \ | |
credential-reference={clear-text="${ENC::RUxZAUMQ5KZRMDQdZTmZgTj8/jDPBxW31rA4tSkLwsk4tyahdGySvRCRVseSYJejb3iEBQRf}"}) | |
/profile=default/subsystem=elytron/credential-store=credentialstoreone:add(relative-to=jboss.domain.config.dir, \ | |
location=credentialstoreone.credentialstore, credential-reference={store=credentialstoretwo, alias=credentialstoreone}) | |
/profile=default/subsystem=elytron/key-store=keystoreone:add(relative-to=jboss.domain.config.dir, path=keystoreone.keystore, \ | |
credential-reference={store=credentialstoreone, alias=keystoreone}) | |
/server-group=main-server-group:restart-servers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
The resulting XML in the subsystem. | |
--> | |
<credential-stores> | |
<credential-store name="credentialstoreone" relative-to="jboss.server.config.dir" location="credentialstoreone.credentialstore"> | |
<credential-reference store="credentialstoretwo" alias="credentialstoreone"/> | |
</credential-store> | |
<credential-store name="credentialstoretwo" relative-to="jboss.server.config.dir" location="credentialstoretwo.credentialstore"> | |
<credential-reference clear-text="${ENC::RUxZAUMQ5KZRMDQdZTmZgTj8/jDPBxW31rA4tSkLwsk4tyahdGySvRCRVseSYJejb3iEBQRf}"/> | |
</credential-store> | |
<secret-key-credential-store name="credentialstorethree" relative-to="jboss.server.config.dir" path="credentialstorethree.credentialstore"/> | |
</credential-stores> | |
<expression-resolver default-resolver="Default"> | |
<resolver name="Default" credential-store="credentialstorethree" secret-key="secretkey"/> | |
</expression-resolver> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copy pre-prepared credential stores to {jboss.home}/domain/confitguration | |
/host=master/subsystem=elytron/secret-key-credential-store=credentialstorethree:add(relative-to=jboss.domain.config.dir, \ | |
path=credentialstorethree.credentialstore) | |
/host=master/subsystem=elytron/expression=encryption:add(default-resolver=Default, resolvers=[{name=Default, \ | |
credential-store=credentialstorethree,secret-key=secretkey}]) | |
/host=master/subsystem=elytron/credential-store=credentialstoretwo:add(relative-to=jboss.domain.config.dir, \ | |
location=credentialstoretwo.credentialstore, \ | |
credential-reference={clear-text="${ENC::RUxZAUMQ5KZRMDQdZTmZgTj8/jDPBxW31rA4tSkLwsk4tyahdGySvRCRVseSYJejb3iEBQRf}"}) | |
/host=master/subsystem=elytron/credential-store=credentialstoreone:add(relative-to=jboss.domain.config.dir, \ | |
location=credentialstoreone.credentialstore, credential-reference={store=credentialstoretwo, alias=credentialstoreone}) | |
/host=master/subsystem=elytron/key-store=keystoreone:add(relative-to=jboss.domain.config.dir, path=keystoreone.keystore, \ | |
credential-reference={store=credentialstoreone, alias=keystoreone}) | |
/host=master:reload | |
/host=master/subsystem=elytron/key-store=keystoreone:read-aliases | |
/host=master/subsystem=elytron/credential-store=credentialstoreone:read-aliases | |
/host=master/subsystem=elytron/credential-store=credentialstoretwo:read-aliases | |
/host=master/subsystem=elytron/secret-key-credential-store=credentialstorethree:read-aliases | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment