Requirements

Prerequisite knowledge

Some experience with Adobe LiveCycle and JBoss configuration.

User level

All

In JBoss application server, the commonly used module for encrypting passwords in the data source files (adobe-ds.xml and mysql-ds.xml) is the SecureIdentityLoginModule module. Adobe LiveCycle installed on a JBoss application server also uses the SecureIdentityLoginModule module to encrypt passwords. This module uses Blowfish algorithm for encryption. The module can be easily hacked to steal the passwords, since the encryption key is hard-coded in the implementation. The vulnerability make it non-compliant to FIPS-140-2  standards. Anyone, who knows the hard-coded key,  can decrypt and get the password in clear text form.

The JaasSecurityDomainIdentityLoginModule module uses password-based encryption, which is more secure than the SecureIdentityLoginModule module. It is therefore recommended to use the JaasSecurityDomainIdentityLoginModule module.

This article discusses the implementation and configuration of the JaasSecurityDomainIdentityLoginModule module. It does not apply to a particular version of LiveCycle. It represents general practice to improve the security. Before implementing this security practice, ensure that this align with your organizational needs.

JaasSecurityDomainIdentityLoginModule

The org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule login module is used for statically defining a data source using a password that has been encrypted by JaasSecurityDomain. The base64 format of the data source password can be generated using PBEUtils.

Encrypt password with PBEUtils

Open the command prompt and execute the following command to encrypt the password:
java -cp <JBoss_HOME>/server/<profile>/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils salt count domain-password data-source-password

The encrypted password is displayed on the console.

The attributes for the PBEUtils command are as follows:

  • Salt - The Salt attribute from the JaasSecurityDomain (must be eight characters long).
  • Count - The IterationCount attribute from JaasSecurityDomain.
  • domain-password - The plain text password that maps to the KeyStorePass attribute from JaasSecurityDomain.
  • data-source-password - The plaintext password for the data source that should be encrypted with the JaasSecurityDomain password.

For more information about JaasSecurityDomain configuration, see Define JaasSecurityDomain.

Example: java -cp C:\jboss4.2.1\server\all\lib\jbosssx. jar org.jboss.security.plugins.PBEUtils abcdefgh 13 master adobe

Encoded password: BWj6zbL/0rA

JBoss Configuration

Define application policy

Add the following application policies to the $JBOSS_HOME/server/$PROFILE/conf/login-config.xml file. These policies contain the encrypted password.

<application-policy name="EncryptDBPassword"> <authentication> <login-module code="org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule" flag="required"> <module-option name="username">adobe</module-option> <module-option name="password"> BWj6zbL/0rA </module-option> <module-option name="managedConnectionFactoryName">jboss.jca:name=DefaultDS,service=LocalTxCM</module-option> <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option> </login-module> </authentication> </application-policy> <application-policy name="EncryptDBPassword_IDP_DS"> <authentication> <login-module code="org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule " flag="required"> <module-option name="username">adobe</module-option> <module-option name="password"> BWj6zbL/0rA </module-option> <module-option name="managedConnectionFactoryName">jboss.jca:name=IDP_DS,service=LocalTxCM</module-option> <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option> </login-module> </authentication> </application-policy> <application-policy name="EncryptDBPassword_EDC_DS"> <authentication> <login-module code="org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule " flag="required"> <module-option name="username">adobe</module-option> <module-option name="password"> BWj6zbL/0rA </module-option> <module-option name="managedConnectionFactoryName">jboss.jca:name=EDC_DS,service=LocalTxCM</module-option> <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option> </login-module> </authentication> </application-policy>

Define Security Domain in Data Source Configuration


Do the following changes in the $JBOSS_HOME/server/$PROFILE/deploy/adobe-ds.xml file:

  • In IDP_DS data source configuration, comment out the <user-name> and <password > entries and add <security-domain>EncryptDBPassword_IDP_DS</security-domain>.
  • In EDC_DS data source configuration, comment out the <user-name> and <password > entries and add <security-domain>EncryptDBPassword_EDC_DS</security-domain>.

In the $JBOSS_HOME/server/$PROFILE/deploy/mysql-ds.xml file, comment out the <user-name> and <password > entries and add <security-domain>EncryptDBPassword</security-domain> in the DefaultDS data source configuration.

Define JaasSecurityDomain

Add the following mbean configuration (for JaasSecurityDomain ) after the JBoss Server Management Domain Mbean definition in the $JBOSS_HOME/server/$PROFILE/conf/jboss-service.xml file.

<mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword"> <constructor> <arg type="java.lang.String" value="ServerMasterPassword"></arg> </constructor> <attribute name="KeyStorePass">{EXT}${jboss.home.dir}/bin/domainpassword.sh 2</attribute> <attribute name="Salt">abcdefgh</attribute> <attribute name="IterationCount">13</attribute> </mbean>

In the above code, KeyStorePass (domain password) is the output of a command that executes the domainpassword.sh script with the command-line argument as 2. Create this file in the bin directory. The script file contains the following commands.

if [ "$1" = "1" ]

then

    echo "Enter the domain password for JaasSecurityDomain:"

read -s Domain_Password

else [ "$1" = "2" ]

    echo $Domain_Password

fi

The password is passed as an input while executing the run script (run.sh). Add the following in the run script.

#This Script execution is required for user input for JaasSecurityDomain Password. The execution required sourcing feature, so keep the script line as it is. Note that there are two spaces between these two dots.

.  ./domainpassword.sh 1

Note: When starting a service that depends on an encrypted data source, the error java.security.InvalidAlgorithmParameterException: Parameters missing is returned if the MBean service is not started. Include the following element in the data source configuration to start the MBean service before the data source.

<depends>jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</depends>

Where to go from here

For more information on Configured Identity with Password Based Encryption (PBE), see Configured Identity with Password Based Encryption (PBE) in JBoss documentation.