How to configure secure DB password

How to configure secure DB password

(Based on the information from http://wiki.jboss.org/wiki/Wiki.jsp?page=EncryptingDataSourcePasswords)

1. Create encrypted password
   From command line in the JBoss installation location:

   [Windows]
   $ java -cp "lib/jboss-jmx.jar;lib/jboss-common.jar;server/default/lib/jboss-jca.jar;server/default/lib/jbosssx.jar"
   org.jboss.resource.security.SecureIdentityLoginModule <required_db_password>
   Encoded password: 234a8537d08918bbe8baca2bdb0ac31dc3bc376bef610c0a
   
   [Unix-like]
   $ java -cp "lib/jboss-jmx.jar:lib/jboss-common.jar:server/default/lib/jboss-jca.jar:server/default/lib/jbosssx.jar"
   org.jboss.resource.security.SecureIdentityLoginModule <required_db_password>
   Encoded password: 234a8537d08918bbe8baca2bdb0ac31dc3bc376bef610c0a
   

   Note: <required_db_password> = your database password.
2. Modify pacs-mysql-ds.xml for the database, and can be found in your dcm4chee installation directory under server/default/deploy/pacs-mysql-ds.xml. Note that if you're using a different database, the naming will be slightly different, e.g. pacs-psql-ds.xml.

   <datasources>
    <local-tx-datasource>
     <jndi-name>pacsDS</jndi-name>
     <connection-url>jdbc:mysql://localhost:3306/pacsdb</connection-url>
     <driver-class>com.mysql.jdbc.Driver</driver-class>
   
     <!-- Remove/comment out the username/password information from here -->
     <!-- PART TO BE COMMENTED / REMOVED
       <user-name>username</user-name>
       <password>pw</password>
     -->
   
     <!-- NEWLY INCLUDED PART -->
     <!-- Use the security domain defined in conf/login-config.xml -->
     <security-domain>EncryptDBPassword</security-domain>
   
     <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter</exception-sorter-class-name>
    </local-tx-datasource>
   </datasources>
   

3. Modify login-config.xml (server/default/conf/login-config.xml)

   <policy>
     <!-- Example usage of the SecureIdentityLoginModule -->
     <application-policy name="EncryptDBPassword">
       <authentication>
         <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
           <module-option name="username">admin</module-option>
           <module-option name="password">234a8537d08918bbe8baca2bdb0ac31dc3bc376bef610c0a</module-option>
           <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=pacsDS</module-option>
         </login-module>
       </authentication>
     </application-policy>
   </policy>
   

NOTE: The above configuration is for MySQL server. For all other databases, the proper name of the DB's jndi name has to be specified in the name parameter of the managedConnectionFactoryName. Ex: for MS SQL Server, substitute 'MySqlDS' with 'MSSQLDS'.

NOTE: You will need to make the same modifications to your ARR datasource file.
In order to avoid clashes with the pacsDB and ARR settings, you should rename the entries for "<security-domain>EncryptDBPassword</security-domain>" and "<application-policy name="EncryptDBPassword">".
E.g.:

  <security-domain>EncryptDBPasswordARR</security-domain>

and

  <application-policy name="EncryptDBPasswordARR">

Contributors: Vladimir Kleper and Pat Mongkolwat