Encryption Setup on Wildfly with Elytron
This guide covers two methods for setting up encryption on your Wildfly platform using Elytron
To set up encryption, you need to follow these two steps:
1. Initialize credential store
You can initialize the credential store using one of the following two methods:
a) Automatic Setup During Encryption
Navigate to the Administration section in the frontend and select Encryption. As long as the encryption setup has not been completed, any attempt to encrypt a string will prompt a confirmation box indicating that the setup is incomplete. By pressing OK, the system will automatically finalize the encryption setup.
b) True CLI Method
This method is useful if you require encryption prior to deploying your application, such as for encrypting database passwords.
To begin, launch the server in admin-only mode
On Linux/macOS:
./standalone.sh --admin-only
On Windows machine:
standalone.bat --admin-only
In the new terminal run jboss-cli:
On Linux/macOS:
./jboss-cli.sh -c
On Windows:
Once the CLI is running and connected follow these steps:
1. Remove the initial setup for the credential store and expression resolver
Run the following command in the Wildfly CLI :
2. Create the Secret Key Credential Store
Run the following command in the Wildfly CLI to create the secret key store:
This command creates the tim_store_secret.cs
file in the WILDFLY_HOME/standalone/configuration
folder.
2. Export the Secret Key
Generate a random secret key by running this command:
This will save the generated secret key to the tim_store_secret.cs
file located in WILDFLY_HOME/standalone/configuration/
.
3. Add the Encryption Resolver
Add the encryption resolver by running:
4. Set the Default Resolver
To register the resolver as the default (so that it’s not visible in the encrypted strings), execute:
5. Reload configuration
6. Run the Encryption Command
To encrypt any clear-text string, use:
7. Reload the server and set main-only to false
After configuring encryption and applying the encrypted values in the standalone configuration, you must reload the server. Additionally, ensure that the admin-only
setting is set to false
to allow the deployment of your EAR file to proceed.
2. Reuse Secret Key in Multiple Server Instances
If you are operating a multi-server setup sharing the same database, it is mandatory that once a secret key is generated on one server instance, it should be reused on all other server instances. This ensures consistency across the entire platform and prevents issues related to mismatched keys.
© TIM Solutions GmbH | AGB | Datenschutz | Impressum