Where to store external credentials in JBoss?

Question

When using WAS we use the j2c credentials store to hold external system's users & passwords.

WAS provides some proprietary apis to get this information.

The benefit of using this instead of a local file that: - the WAS admin can add/modify credentials having no knowledge of the application structure. - it is managed in a central way for the whole cluster - WAS stores it among other own credentials in a folder that is supposed to be secure (at SO level) - Devs do not need to know about production passwords

Now we are coding for JBOSS and we wonder if there is any similar API in JBoss to get users/passwords by code.

Thank you!!

Answer 1

We have found the solution. JBoss has a "vault" that is explained in the security guide.

Basically it lets you cypher everything you want in the server configuration file (i.e. standadlone.xml). Then it decyphers it when starting the server.

We simple added a JNDI String to the server xml config file with the cyphered credentials. When we get that JNDI value from our code, credentials are already in plain text.

Quite an elegant solution from JBoss dev team.