How do I encrypt the bindCredential password in Wildfly?

Question

I am trying to configure an security domain in Wildfly (8.2.1) for binding to our Active Directory. I need to try to find a way to encrypt the bindCredential password. I am able to encrypt the data source passwords just fine using Picketbox. I only could find out to do this encryption for JBoss V6.x or before and the method employed doesn't seem to exist any longer in Wildfly. Has anyone done this and willing to share how it can be accomplished.

Here is my security domain:

    <security-domain name="ADDomain" cache-type="default">
            <authentication>
                    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                            <module-option name="java.naming.provider.url" value="ldap://ad.mycompany.com:389/"/>
                            <module-option name="bindDN" value="cn=myuserid"/>
                            <module-option name="bindCredential" value="mypassword"/> <--- I want to encrypt this. 
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="baseCtxDN" value="dc=mycompany,dc=com"/>
                            <module-option name="baseFilter" value="(uid={0})"/>
                            <module-option name="rolesCtxDN" value="dc=mycompany,dc=com"/>
                            <module-option name="roleFilter" value="(uniqueMember={1})"/>
                            <module-option name="roleAttributeID" value="cn"/>
                            <module-option name="roleNameAttributeID" value="cn"/>
                            <module-option name="roleRecursion" value="0"/>
                            <module-option name="throwValidateError" value="true"/>
                            <module-option name="java.naming.referral" value="follow"/>
                            <module-option name="referralUserAttributeIDToCheck" value="uniqueMember"/>
                    </login-module>
            </authentication>
    </security-domain>

Answer 1

Use the Security Vault. You can find a chapter about Password Vaults in the JBoss EAP documentation - the configuration should be the same for WildFly.

In general, you need to do following steps.

1. Create JCEKS keystore with a secret key

keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 \
    -storepass vault22 -keypass vault22 \
    -dname "CN=vault, O=ACME, C=CZ" \
    -keystore /path/to/vault.keystore

2. Create a Vault directory, create the vault itself and put your password into it

mkdir /path/to/vault-data-dir
${JBOSS_HOME}/bin/vault.sh -a passa -b LdapLogin \
    -e /path/to/vault-data-dir \
    -i 22 -k /path/to/vault.keystore -p vault22 -s 87654321 -v vault \
    -x mypassword

3. Configure vault in the WildFly:

${JBOSS_HOME}/bin/jboss-cli.sh \
    -c '/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/path/to/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-Ci5JS1kjxPX"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "87654321"),("ITERATION_COUNT" => "22"), ("ENC_FILE_DIR" => "/path/to/vault-data-dir/")])'

4. Use the vaulted password in your login module

<module-option name="bindCredential" value="${VAULT::LdapLogin::passa::1}"/>