Securing the passwords in standalone.xml

By default, the passwords in standalone.xml, the JBoss configuration file located in the RapidMiner Server home directory, are saved as plaintext. To secure these passwords, you must take additional steps, described below.

The standard vault solution provided by JBoss encrypts passwords using a private key and stores them in a secure vault file. The vault tool can be found at the following location:

  • <RapidMiner Server installation path>/bin/ (Linux)
  • <RapidMiner Server installation path>/bin/vault.bat (Windows)

For additional information, see the JBoss documentation or the JBoss documentation for Windows.

Create a Java keystore

To encrypt the passwords, the first step is to create a Java keystore to store the encryption key. The key will then be used to encrypt the vault. We’ll use the keytool command located in your $JAVA_HOME/bin folder. You can use the following command:

    keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -keystore /root/securefolder/vault.jks -storepass rapidminer -keypass rapidminer -dname "CN=MyName, OU=MyTeam, O=MyOrganization, L=MyLocation, ST=MyCity, C=US"

Please note that:

  • the storetype should be "jceks".
  • the keystore, set to /root/securefolder/vault.jks in the example above, is any file name in a path that is accessible to the user running RapidMiner Server.
  • storepass and keypass must be the same, because the vault tool requires it.
  • the keysize should be 128 bits if the Java Cryptography Extension (JCE) is not installed. Alternatively, you can install the JCE and use 256 bits.
  • alias is an arbitrary word, set to "vault" in the example. It identifies the private key entry in the keystore that is used for the encryption.
  • the dname parameter contains organizational data like name, location, city, country, etc.

Use the Vault Tool scripts to store a password in the vault

Once we have the private key, we can create the vault (the encrypted password database) using the command line tool ( or vault.bat). The execution is interactive and it will request the location of the keystore (the path /root/securefolder/vault.jks in the example above), the alias (“vault” in our example), its password, and a folder where the vault file will be stored. After providing this data, you can manage the passwords.

It’s also possible to create the vault and add a password in a non-interactive way:

    bin/ -k /root/securefolder/vault.jks -p passwordForTheVault -e /root/securefolder -i 50 -s 12345678 -v vault -b blockName -a attributeName -x thisIsThePassword

The -s parameter is a “salt” (a seed) needed for the encryption and -v is the alias. The block and the attribute will later identify your password.

During the creation of the vault, you will get configuration fragments like this:

Please take note of the following:

Masked Password: MASK-1v6/ARucwcWaCt1l2FkYSH
Iteration Count:50

and this:

Please take note of the following:

Vault Block:blockName
Attribute Name:mysql
Configuration should be done as follows:

Copy the output to the standalone.xml file

The output should be copied into the standalone.xml configuration file (<home directory>/configuration/standalone.xml) in the following way:

  <vault-option name="KEYSTORE_URL" value="/root/vault/vault.jks"/>
  <vault-option name="KEYSTORE_PASSWORD" value="MASK-1v6/ARucwcWaCt1l2FkYSH"/>
  <vault-option name="KEYSTORE_ALIAS" value="vault"/>
  <vault-option name="SALT" value="12345678"/>
  <vault-option name="ITERATION_COUNT" value="50"/>
  <vault-option name="ENC_FILE_DIR" value="/root/vault/"/>

Every time a password is required in standalone.xml, you should replace it by a token such as the one that appears above, as follows: