Encrypt the keystore password in a Tomcat Connector
JBoss Web is based on Apache Tomcat. SSL with Tomcat requires a secure connector. This means that the keystore/truststore password cannot be passed as an attribute in the connector element of Tomcat's server.xml file. A working understanding of the JaasSecurityDomain that supports keystores, truststores, and password based encryption is advised. Refer to Chapter 13, Secure Remote Password Protocol and Chapter 17, Encrypting Data Source Passwords for supporting information and related procedures. Procedure 18.1. Encrypt Tomcat Container Keystore Password Append connector element Add a connector element in server.xml in $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar . Configure JaasSecurityDomain MBean Set the JaasSecurityDomain MBean in a $JBOSS_HOME/server/$PROFILE/deploy/security-service.xml file. If the file does not exist, you must create it. The code sample describes the content required when the file does not exist. If you already have a security-service.xml, append the element block to the file. resource:localhost.keystore {CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/keystore.password welcometojboss 13 The Salt and IterationCount are the variables that define the strength of your encrypted password, so you can vary it from what is shown. Ensure you record the new values, and use when generating the encrypted password. Note The Salt must be at least eight characters long. Generate encrypted password The configuration specifies that the keystore is stored in the jboss-as/server/$PROFILE/conf/localhost.keystore file. The also specifies the encrypted password file is stored in jboss-as/server/$PROFILE/conf/keystore.password file. You must create the localhost.keystore file. Execute the following command in the jboss-as/server/$PROFILE/conf directory. [conf]$ java -cp $JBOSS_HOME/lib/jbosssx.jar \org.jboss.security.plugins.FilePassword welcometojboss 13 unit-tests-server keystore.password This command uses jbosssx.jar as the classpath (-cp) and the FilePassword security plugin to create a keystore.password file with the password set as unit-tests-server. To verify you have permission to create a keystore.password file, you supply the salt and iteration parameters configured in the elements of the JaasSecurityDomain. You execute this command in the /conf directory so the keystore.password file is saved to this directory. Update the Tomcat service MBean Navigate to $JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar/META-INF . Open jboss-service.xml and append the following tag toward the end of the file. Adding the tag specifies that Tomcat must start after jboss.security:service=PBESecurityDomain . jboss.security:service=PBESecurityDomain