DBAs and JBoss system administrators are weary of having the password to the LiveCycle database in cleartext in the data source configuration XML file. JBoss provides instructions here on how to use it in encrypt form.
1) Encrypt database password
The following command will encrypt the password "lc_password":
java -cp C:\Programs\jboss_es2\lib\jboss-common.jar;C:\Programs\jboss_es2\lib\jboss-jmx.jar;C:\Programs\jboss_es2\server\lc_mysql\lib\jbosssx.jar;C:\Programs\jboss_es2\server\lc_mysql\lib\jboss-jca.jar org.jboss.resource.security.SecureIdentityLoginModule lc_password.
Obviously, you should replace the paths to the JAR files with yours. In the above example, the JBoss configuration is "lc_mysql"
If successful, you should get a response like as follows:
Encoded password: -2d19d44d319c1d9e008fba5553e14ea0
2) Create new Application Policy
Edit the %JBOSS_HOME%\server\lc_mysql\conf\login-config.xml file and create a new application policy that would look something like this.
3) Configure data source with the new Application Policy
Replace the following:
<user-name>lc_db_usr</user-name>
<password>password</password>
with this:
<security-domain>EncryptDBPasswordAppPolicy</security-domain>
where "EncryptDBPasswordAppPolicy" is the name of the 'application policy' you created in %JBOSS_HOME%\server\
This has been tested to work with MySQL. Your mileage with Oracle, SQL Server etc may vary.
Hi,
I have just achieved this with Oracle. It's not obvious from the error messages you will get but the trick is that you will need to create three different security domain policies. These are to reflect the different jndi names used DefaultDS, IDP_DS and EDC_DS. The corresponding local-tx datasource would have to the correct one.
Nick
Hi Jayan,
Thanks for your post on how to remove the clear text passwords from adobe-ds.xml. I ran into a snag when I did it though. Your snippet includes the line
jboss.jca:service=LocalTxCM,name=DefaultDS
Note the part about name=DefaultDS. This won't work unless you specify the same data source name that's noted in adobe-ds.xml. Namely IDP_DS. There are two others as well, called EDC_DS and com.celequest.metadata.metaDatasource. I didn't bother with those. I assume the latter is for BAM, which I'm not using. Do you know what the other one is (EDC_DS)? Thanks.
Jared
Hi Jared:
Yes, com.celequest.metadata.metaDatasource defines a JDBC connection pool exclusively for BAM. You can delete it if the particular JBoss instance does not host BAM. BAM is very heavy in its resource needs, especially memory. It should be hosted in a separate JBoss instance on a separate physical server or vitual instance.
EDC_DS defines a separate JDBC connection pool exclusively for Rights Management.
As Nicholas discovered, for Oracle you need to explicity define separate security realms in the login-config.xml for each and every one of your data sources (DefaultDS, IDP_DS and EDC_DS).