JBoss Community Archive (Read Only)

RHQ

Protect Sensitive Server And Agent Configuration

Introduction

Sensitive configuration settings for agent and server can now be protected by obfuscation. Both agent and server configuration files support transparent property obfuscation for all but few properties. By default, there is a set of properties that will be obfuscated at install time. Please refer to the guide below to apply obfuscation to content deemed sensitive that is not obfuscated by default. RHQ provides tools to assist with content obfuscation but users have to manually edit configuration files to replace clear text with the obfuscated variant.

Configuration Files (Overview)

  1. Server

    1. standalone-full.xml

      1. {RHQ_SERVER_HOME}/jbossas/standalone/configuration/standalone-full.xml

      2. properties to be protected using VAULT format

      3. all passwords are protected by default at installation

      4. the vault is an EAP6 feature, however RHQ implements a custom obfuscation vault

      5. AS7 documentaiton - https://community.jboss.org/wiki/JBossAS7SecuringPasswords

    2. rhq-server.properties

      1. {RHQ_SERVER_HOME}/bin/rhq-server.properties

      2. the values of properties to be protected by using the RESTRICTED::: format

      3. use the tool provide for correct obfuscation and formatting

      4. passwords are protected by default at installation

    3. prefs.xml

      1. ~/.java/.userPrefs/rhq-server/default/prefs.xml

      2. not user editable

      3. no additional action to be take by user, the properties are automatically protected by the server at startup

      4. please ensure that sensitive information is protected in rhq-server.properties

  2. Agent

    1. agent-configuration.xml

      1. {RHQ_AGENT_HOME}/conf/agent-configuration.xml

      2. the values of properties to be protected by using the RESTRICTED::: format

      3. use the tool provide for correct obfuscation and formatting

      4. all passwords are protected by default at installation

    2. prefs.xml

      1. ~/.java/.userPrefs/rhq-server/default/prefs.xml

      2. not user editable

      3. properties are protected on agent config command

      4. please ensure that sensitive information is protected in agent-configuration.xml and then run agent config

Server Configuration

If a property is used in standalone-full.xml with a value stored in rhq-server.properties both the files need to be updated with the obfuscated variant. Please see example below.

Tool

RHQ provides a tool to help with obfuscating and formatting sensitive properties. The "rhq-encode-value" tool is located in the bin folder of the server installation. Upon invocation, the tool will prompt for need information and will provide various formats for the protected information. Copy/paste the correct variant for the file you are modifying.

{RHQ_SERVER_HOME}/bin/rhq-encode-value.{sh bat}
[rhq-server/bin]$ ./rhq-encode-value.sh
15:12:03,561 INFO  [org.jboss.modules] JBoss Modules version 1.3.0.Final-redhat-2
Property rhq.autoinstall.server.admin.password [y/n]: n
Property rhq.server.database.password [y/n]: n
Property: rhq.protect.property
Value: 1234
15:12:20,533 INFO  [org.rhq.enterprise.server.installer.Installer] *** !!! WARNING !!!
15:12:20,534 INFO  [org.rhq.enterprise.server.installer.Installer] *** Both standalone-full.xml and rhq-server.properties need to be updated if a property from rhq-server.properties is used in standalone-full.xml
15:12:20,534 INFO  [org.rhq.enterprise.server.installer.Installer] *** !!! WARNING !!!
15:12:20,534 INFO  [org.rhq.enterprise.server.installer.Installer] ***     
15:12:20,534 INFO  [org.rhq.enterprise.server.installer.Installer] ***     
15:12:20,534 INFO  [org.rhq.enterprise.server.installer.Installer] *** Encoded password for rhq-server.properties:
15:12:20,534 INFO  [org.rhq.enterprise.server.installer.Installer] ***     rhq.protect.property=RESTRICTED::-299a94df3b478ca8
15:12:20,535 INFO  [org.rhq.enterprise.server.installer.Installer] ***     
15:12:20,535 INFO  [org.rhq.enterprise.server.installer.Installer] *** Encoded password for standalone-full.xml with vault with password as default value:
15:12:20,535 INFO  [org.rhq.enterprise.server.installer.Installer] ***     ${VAULT::restricted::rhq.protect.property::-299a94df3b478ca8}
15:12:20,535 INFO  [org.rhq.enterprise.server.installer.Installer] ***     
15:12:20,535 INFO  [org.rhq.enterprise.server.installer.Installer] *** Encoded password for standalone-full.xml with vault without default:
15:12:20,535 INFO  [org.rhq.enterprise.server.installer.Installer] ***     ${VAULT::restricted::rhq.protect.property:: }
15:12:20,535 INFO  [org.rhq.enterprise.server.installer.Installer] ***     
15:12:20,536 INFO  [org.rhq.enterprise.server.installer.Installer] *** Encoded password for agent-configuration.xml:
15:12:20,536 INFO  [org.rhq.enterprise.server.installer.Installer] ***     <entry key="rhq.protect.property" value="RESTRICTED::-299a94df3b478ca8" />
15:12:20,536 INFO  [org.rhq.enterprise.server.installer.Installer] ***     
15:12:20,536 INFO  [org.rhq.enterprise.server.installer.Installer] *** Please consult the documentation for additional help.

Examples

In each example, the initial property value is in plain text in the configuration file. The user is then required to run the rhq-encode-value utility to generate the correct encoded variant. Then the user needs to manually replace the plain text line in the configuration file with the one from the tool.

These are just some examples, so the properties presented here might not be representative of the properties a user will need/want to protect.

Agent Configuration

The user selects rhq.agent.server.alias property to be protected.

Initial file before protecting the property:

{RHQ_AGENT_HOME}/agent-configuration.xml
.....
<entry key="rhq.agent.server.alias" value="rhqserver" />
.....

After replacing the property text:

{RHQ_AGENT_HOME}/agent-configuration.xml
.....
<entry key="rhq.agent.server.alias" value="RESTRICTED::64c5fd2979a86168" />
.....

Server Configuration (container configuration)

The user selects rhq.server.socket.binding.port.http property to be protected. If a property is in both rhq-server.properties and standalone-full.xml, then both files need to be updated. If only one file is updated the container will not work properly after the change.

Initial files before protecting the property:

{RHQ_SERVER_HOME}/jbossas/standalone/configuration/standalone-full.xml
.....
<socket-binding name="http" port="${rhq.server.socket.binding.port.http:7080}"/>
.....
{RHQ_SERVER_HOME}/bin/rhq-server.properties
.....
rhq.server.socket.binding.port.http=7080
.....

After replacing the property text in each file:

{RHQ_SERVER_HOME}/jbossas/standalone/configuration/standalone-full.xml
.....
<socket-binding name="http" port="${VAULT::restricted::rhq.server.socket.binding.port.http::64c5fd2979a86168}"/>
.....
{RHQ_SERVER_HOME}/bin/rhq-server.properties
.....
rhq.server.socket.binding.port.http=RESTRICTED::64c5fd2979a86168
.....

Server Configuration (non-container configuration)

The user selects rhq.server.concurrency-limit.inventory-sync property to be protected. This property is only used in rhq-server.properties thus only this file needs updates.

Initial file before protecting the property:

{RHQ_SERVER_HOME}/bin/rhq-server.properties
.....
rhq.server.concurrency-limit.inventory-sync=10
.....

After replacing the property text with the protected variant:

{RHQ_SERVER_HOME}/bin/rhq-server.properties
.....
rhq.server.concurrency-limit.inventory-sync=RESTRICTED::64c5fd2979a86168
.....

Advanced

There are few properties that cannot be encoded using restricted or vault formats. The rhq-encode-value tool will provide the correct formatting. As of RHQ 4.13 these special properties are: database password, and storage cluster password in rhq-server.properties and standalone-full.xml.

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-11 13:31:48 UTC, last content change 2014-08-26 20:13:30 UTC.