Add a use case driven guide for creating a credential store using elytron-tool for wildfly client configuration #2068
Conversation
PrarthonaPaul
force-pushed
the
credential-store-guides
branch
from
f7e80d7
to
28e0441
Compare
There was a problem hiding this comment.
@PrarthonaPaul These blog posts are great! Very well explained and I think community will appreciate this as credential stores and encryption are common questions. I just added minor comments but I approved it. Thank you!
| ``` | ||
| Now we can create a keystore using a plaintext password: | ||
| ``` | ||
| /subsystem=elytron/key-store=serverKS:add(path=server.keystore, relative-to=jboss.server.config.dir, type=JKS, credential-reference={clear-text=secret}) |
There was a problem hiding this comment.
@PrarthonaPaul Just a total minor, we should now use PKCS12 type instead of JKS in these blogs as PKCS12 is default in Java 11
| } | ||
| } | ||
| ``` | ||
| Notice how even though we specified the clear-text password when updating the credentials, it does not show up here. Instead, we can see the name of the credential-store and the alias listen under credential-reference. |
There was a problem hiding this comment.
s/alias listen/alias listed
| ``` | ||
| /subsystem=elytron/credential-store=myCredStore:remove-alias(alias=myalias) | ||
| ``` | ||
| However, when deleting a alias, you must be careful, as if the alias is in use, it may still be removed successfully, leaving the resource's credential-reference pointing to a non-existent alias. |
There was a problem hiding this comment.
s/deleting a alias/deleting an alias
| If you navigate to WILDFLY_HOME/standalone/configuration, you will see a new file has been created there named mycredstore.cs. This file is used to store all the credentials in a credential-store. If you try to open it using Vim or another file viewer, you will see that the file is not human readable. As a result, the passwords are secured. It is possible to programmatically read the passwords, which is what WildFly does when dereferencing the credential reference to access a resource. | ||
|
|
||
| == Add a Password to the Credential-Store | ||
| Now in order to use the credential-store for our keystore, we need to add the keystore password to it: |
There was a problem hiding this comment.
@PrarthonaPaul Just a total minor, could be to mention that you can disable the management CLI history before running the commands that contain the clear text password, so "secret-value=secret" in this case and clear-text=secret below:
[standalone@localhost:9999 /] history --disable
After inputting the clear text password you can enable the saving of history again:
[standalone@localhost:9999 /] history --enable
There was a problem hiding this comment.
I noticed this is mentioned in the other blog, so we can mention it to this one also
There was a problem hiding this comment.
added a section for this.
| ``` | ||
|
|
||
| == About WildFly Client Configuration | ||
| EJBs, also known as Enterprise JavaBeans are a collection of specifications that are used for building java applications and offer a set og APIs for developing anf running secured applications. When invoking ejbs using the WildFly server, we need to configure the WildFly client to specify revevant information about authentication to secure the application. This can be done using a file named wildfly-config.xml located inside the sec/main/resources folder of the application. |
There was a problem hiding this comment.
s/anf running/and running
There was a problem hiding this comment.
s/ejbs/EJBs
s/revevant/relevant
s/sec/src
| Note that creating an additional security domain (fsSD in this case) is not necessary. We could alternatively take the default ApplicationDomain and add the FileSystem realm, role-decoder and permission-mapper to it. | ||
|
|
||
| === Create an Authentication Factory | ||
| We now need to create a sasl-authentication factory and connect out security domain to it and specify a mechanism for the authentication: |
There was a problem hiding this comment.
s/sasl-authentication factory/sasl-authentication-factory
s/connect out/ connect our
PrarthonaPaul
force-pushed
the
credential-store-guides
branch
2 times, most recently
from
6f0079c
to
29a6d0c
Compare
There was a problem hiding this comment.
@PrarthonaPaul Can you please split this into three separate PRs and bring the dates up to date.
I think this would make sense to publish one per week and then it will become some regular content instead of it all going our at once.
PrarthonaPaul
force-pushed
the
credential-store-guides
branch
from
29a6d0c
to
126d608
Compare
PrarthonaPaul
changed the title
…tron-tool for wildfly client configuration
PrarthonaPaul
force-pushed
the
credential-store-guides
branch
from
126d608
to
f668033
Compare
I have opened two other PRs for the other guides: #2121 and #2120 and updated the dates on all. |
No description provided.