How to Use Java Expressions in JBoss EAP System Properties

On my current client, they are using JBoss EAP 6.1.1 regardless of my incessant  pressure for them to upgrade to the latest and greatest. Since they are using an older version of EAP they can not leverage Java Expressions in EAP system properties. To some this may not cause a problem, however when your application is trying abstract, say the name of attributes that are vaulted across different environments and/or leverage the system property in more than place within the app servers configuration; there are other use cases as well.

I applied a patch that provides this functionality, but there was no clear direction on how to actually add Java expressions to the configuration file and after much chagrin I was able to decipher how to do it and am going to share it for others.

How to use system properties with vaulted attributes

Create keystore

keytool -genkeypair -v -alias alias -keyalg RSA  -keysize 2048 -dname "cn=blah,ou=device, ou=service" -keypass password -keystore myserver.keystore -storepass password

Add servers keystore to vault as an attribute

 $JBOSS_HOME/bin/vault.sh --keystore vault.keystore --keystore-password 'vault-password' --alias vault --enc-dir  --salt 11111111 --iteration 10 -a keystore_name -x 'myserver.keystore'

********************************************
Vault Block:vb
Attribute Name:keystore_name
Configuration should be done as follows:
VAULT::vb::keystore_name::1
********************************************
Vault Configuration in AS7 config file:
********************************************
...
</extensions>
<vault>
  <vault-option name="KEYSTORE_URL" value="vault.keystore"/>
  <vault-option name="KEYSTORE_PASSWORD" value="MASK-1dmPKRStsI..BzvEbFkZi"/>
  <vault-option name="KEYSTORE_ALIAS" value="vault"/>
  <vault-option name="SALT" value="11111111"/>
  <vault-option name="ITERATION_COUNT" value="10"/>
  <vault-option name="ENC_FILE_DIR" value=""/>
</vault><management> ...
********************************************

Add keystore password to vault

$JBOSS_HOME/bin/vault.sh --keystore vault.keystore --keystore-password 'vault-password' --alias vault --enc-dir  --salt 11111111  --iteration 10 -a keypass -x 'password'

********************************************
Vault Block:vb
Attribute Name:keypass
Configuration should be done as follows:
VAULT::vb::keypass::1
********************************************
Vault Configuration in AS7 config file:
********************************************
...
</extensions>
<vault>
  <vault-option name="KEYSTORE_URL" value="vault.keystore"/>
  <vault-option name="KEYSTORE_PASSWORD" value="MASK-1dmPKRStsI..BzvEbFkZi"/>
  <vault-option name="KEYSTORE_ALIAS" value="vault"/>
  <vault-option name="SALT" value="11111111"/>
  <vault-option name="ITERATION_COUNT" value="10"/>
  <vault-option name="ENC_FILE_DIR" value=""/>
</vault><management> ...
********************************************

Add user

$JBOSS_HOME/bin/add-user.sh --silent admin admin.2015

Start server

$JBOSS_HOME/bin/standalone.sh

Add system property <kstore-name>

$JBOSS_HOME/bin/jboss-cli.sh --user=admin --password=admin.2015 -c controller=${HOSTNAME}:9999 --command='/system-property=kstore-name:add(value=$\\{VAULT::vb::keystore_name::1\})'

Add ssl

add_keystore_cmd='/subsystem=web/connector=https/ssl=configuration:write-attribute(name=certificate-key-file,value="${kstore-name}")'
$JBOSS_HOME/bin/jboss-cli.sh --user=admin --password=admin.2015 -c controller=${HOSTNAME}:9999 --command="${add_keystore_cmd}"

tail logs

tail -f $JBOSS_HOME/standalone/log/server.log &

reload server

$JBOSS_HOME/bin/jboss-cli.sh --user=admin --password=admin.2015 -c controller=${HOSTNAME}:9999 --command="reload"
Advertisements