If you had configured a jdbc-connection-pool, or
jms-connection on GlassFish3, you may have noticed that the passwords are stored in
plain-text in config/domain.xml. That is unfortunate, and a
security-guy in your organization may give you a hard-time for it.
Hopefully, a future release of GlassFish may choose encrypted-password-storage as the DEFAULT, but till then, creating password-alias could be a satisfactory alternative. There is enough documentation on the create-password-alias command, but I thought of creating a really simple example in this context.
Let's create a jdbc-connection-pool called MyConnectionPool from cmd-line. It could be done with a single command or easily through admin-console as well.
asadmin> set resources.jdbc-connection-pool.MyConnectionPool.property.user=dbuser
asadmin> set resources.jdbc-connection-pool.MyConnectionPool.property.password=${ALIAS=db_password_alias}
And if you look at the domain.xml , you would see something like this:
Now let's provide actual-password, the one we want to store in an encrypted manner:
You can take a peek in the config/domain-passwords file, which maps aliases to passwords, and confirm that your password above can not be deciphered. That's it, but don't forget to verify that a connection could be retrieved using the encrypted password.
If you fat-fingered, or if you would like to change the password, you can use update-password-alias command. Refer to glassfish commands documentation for more information, and that above command works in a non-interactive mode as well, if you prefer to script it.
Good-luck getting that security-guy off your back!
Hopefully, a future release of GlassFish may choose encrypted-password-storage as the DEFAULT, but till then, creating password-alias could be a satisfactory alternative. There is enough documentation on the create-password-alias command, but I thought of creating a really simple example in this context.
Let's create a jdbc-connection-pool called MyConnectionPool from cmd-line. It could be done with a single command or easily through admin-console as well.
asadmin> create-jdbc-connection-pool --datasourceclassname oracle.jdbc.pool.OracleDataSource --restype javax.sql.DataSource MyConnectionPool
asadmin> set resources.jdbc-connection-pool.MyConnectionPool.property.user=dbuser
asadmin> set resources.jdbc-connection-pool.MyConnectionPool.property.password=${ALIAS=db_password_alias}
asadmin> set resources.jdbc-connection-pool.MyConnectionPool.property.url="jdbc:oracle:thin:@host:port:service"
And if you look at the domain.xml , you would see something like this:
<property name="password" value="${ALIAS=db_password_alias}"></property>
Now let's provide actual-password, the one we want to store in an encrypted manner:
asadmin> create-password-alias
Enter the value for the aliasname operand> db_password_alias
Enter the alias password> *******
Enter the alias password again> ******
Command create-password-alias executed successfully.
Enter the value for the aliasname operand> db_password_alias
Enter the alias password> *******
Enter the alias password again> ******
Command create-password-alias executed successfully.
You can take a peek in the config/domain-passwords file, which maps aliases to passwords, and confirm that your password above can not be deciphered. That's it, but don't forget to verify that a connection could be retrieved using the encrypted password.
asadmin> ping-connection-pool MyConnectionPool
Command ping-connection-pool executed successfully.
If you fat-fingered, or if you would like to change the password, you can use update-password-alias command. Refer to glassfish commands documentation for more information, and that above command works in a non-interactive mode as well, if you prefer to script it.
Good-luck getting that security-guy off your back!
