LiveCycle – Encrypting Cleartext JBoss Data Source Passwords

DBAs and JBoss system administrators are weary of having the password to the LiveCycle database in cleartext in the data source configuration XML file. JBoss provides instructions here on how to use it in encrypt form.

1) Encrypt database password
The following command will encrypt the password “lc_password”:
java -cp C:\Programs\jboss_es2\lib\jboss-common.jar;C:\Programs\jboss_es2\lib\jboss-jmx.jar;C:\Programs\jboss_es2\server\lc_mysql\lib\jbosssx.jar;C:\Programs\jboss_es2\server\lc_mysql\lib\jboss-jca.jar lc_password.
Obviously, you should replace the paths to the JAR files with yours. In the above example, the JBoss configuration is “lc_mysql
If successful, you should get a response like as follows:
Encoded password: -2d19d44d319c1d9e008fba5553e14ea0

2) Create new Application Policy
Edit the %JBOSS_HOME%\server\lc_mysql\conf\login-config.xml file and create a new application policy that would look something like this. For Oracle, the application policy to comment out would be the “OracleDbRealm” policy.

Please note that for every one of your data sources, the policy name (EncryptDBPasswordAppPolicy) needs to unique (such as EncryptDBPasswordAppPolicy1, EncryptDBPasswordAppPolicy2, EncryptDBPasswordAppPolicy3 etc.)

3) Configure data source with the new Application Policy
Replace the following:
with this:
where “EncryptDBPasswordAppPolicy” is the name of the ‘application policy’ you created in %JBOSS_HOME%\server\\conf\login-config.xml

This has been tested to work with MySQL and Oracle. Your mileage with SQL Server etc may vary.

VN:F [1.9.22_1171]
Was this helpful? Please rate the content.
Rating: 10.0/10 (1 vote cast)
LiveCycle - Encrypting Cleartext JBoss Data Source Passwords, 10.0 out of 10 based on 1 rating
This entry was posted in Adobe LiveCycle ES, Adobe LiveCycle 7.x, General Interest and tagged . Bookmark the permalink.

4 Responses to LiveCycle – Encrypting Cleartext JBoss Data Source Passwords

  1. Nicholas Tettenborn says:

    Hi,I have just achieved this with Oracle. It’s not obvious from the error messages you will get but the trick is that you will need to create three different security domain policies. These are to reflect the different jndi names used DefaultDS, IDP_DS and EDC_DS. The corresponding local-tx datasource would have to the correct one.Nick

  2. Jared Langdon says:

    Hi Jayan,Thanks for your post on how to remove the clear text passwords from adobe-ds.xml. I ran into a snag when I did it though. Your snippet includes the linejboss.jca:service=LocalTxCM,name=DefaultDSNote the part about name=DefaultDS. This won’t work unless you specify the same data source name that’s noted in adobe-ds.xml. Namely IDP_DS. There are two others as well, called EDC_DS and com.celequest.metadata.metaDatasource. I didn’t bother with those. I assume the latter is for BAM, which I’m not using. Do you know what the other one is (EDC_DS)? Thanks.Jared

  3. Jayan Kandathil says:

    Hi Jared:Yes, com.celequest.metadata.metaDatasource defines a JDBC connection pool exclusively for BAM. You can delete it if the particular JBoss instance does not host BAM. BAM is very heavy in its resource needs, especially memory. It should be hosted in a separate JBoss instance on a separate physical server or vitual instance.EDC_DS defines a separate JDBC connection pool exclusively for Rights Management.As Nicholas discovered, for Oracle you need to explicity define separate security realms in the login-config.xml for each and every one of your data sources (DefaultDS, IDP_DS and EDC_DS).

  4. Mick Lerlop says:

    For ADEP, it’s jboss> java -cp lib/jboss-logging-spi.jar;lib/jb
    osssx.jar password