Keytool command to add a PasswordCredential to elytron keystore?

727 views Asked by At

I'm running a JBOSS EAP 7.3 server and trying to add a private key to the elytron keystore. The following works:

$JBOSS_HOME/bin/jboss-cli.sh --connect --command=/subsystem=elytron/credential-store=keystore:add-alias(alias='keyalias', secret-value='password')

But the issue here is the password is shown in plain text on the command line. I attempted to manually add the key using the keytool command:

keytool -importpass -alias 'keyalias' -v -keystore $JBOSS_HOME/keystore.p12 -storetype pkcs12

Which then prompts me to enter the keystore password and the key as I want, but trying to reference this key in the server results in the following error:

{ "outcome" => "failed", "failure-description" => {"WFLYCTL0080: Failed services" => { Caused by: org.jboss.as.controller.OperationFailedException: WFLYELY00920: Credential alias 'keyalias' of credential type 'org.wildfly.security.credential.PasswordCredential' does not exist in the store [ \"WFLYELY00920: Credential alias 'keyalias' of credential type 'org.wildfly.security.credential.PasswordCredential' does not exist in the store\" ]"}}, "rolled-back" => true, "response-headers" => {"process-state" => "reload-required"} }

Is it possible to add elytron keys via the keystore tool? Or is it possible to add the key in a way such that the plaintext value isn't exposed on the command line? I'm new to JBOSS and having trouble finding resources on this particular topic. Thanks

2

There are 2 answers

0
Elkip On BEST ANSWER

I think JBOSS does additional changes to the stored values, so it is not possible to use the KeyTool.
If you're only concerned about the plaintext showing up in the shell history, you could use a HISTIGNORE environment variable to ignore commands that relate to showing passwords. At least then there won't be plaintext passwords in the history.
Hope this helps!

0
Ewoks On

You could use elytron-tool.sh with a masked password or even not provide password with a command and prompt will ask for it