Finally spent a good chunk of time and sorted out the word stew around
admin passwords, mapped passwords, user passwords, password files, password
aliases, etc. etc.
If I'm understanding correctly, in any configuration or password file
anywhere (that I might supply to asadmin via the --password file option),
or in arguments passed to, say, create-jdbc-connection-pool, I can
substitute tokens of the form:
${ALIAS=some-password-alias-name}
...where I would otherwise simply put a plaintext password value, and
assuming that I've created a password alias (using asadmin
create-password-alias some-password-alias-name) and set its value to the
"real" password, then the "real" password will be decrypted and used
instead, as though it had been typed directly into the file instead of the
${ALIAS=some-password-alias-name} token.
Is this look-up-the-real-value-from-an-encrypted-store functionality tied
to certain hard-wired properties (e.g. ones named "password", or...who
knows), or is it a general-purpose substitution mechanism?
Could I, for example, use it for hostnames (no idea why I would; just
curious as to the mechanism involved)? Could I, for example, set up a JDBC
connection pool whose databaseName property was set to
${ALIAS=some-database-name-alias}? Or does the aliasing mechanism somehow
"know" about "password" properties and is only invoked then?
The other question I had was more chicken-and-egg related.
This article (
http://kalali.me/learning-glassfish-v3-command-line-administration-interface-cli/)
indicates that one could set up password aliases for use inside password
files.
So instead of typing this in a passwords.txt file somewhere:
AS_ADMIN_ADMINPASSWORD=fred
...I could do this:
AS_ADMIN_ADMINPASSWORD=${ALIAS=flintstone}
...and assuming I created a password alias whose name was flintstone and
whose value was fred, then everything would just work.
The article also indicated I could do this with the master password.
(Well, actually it was a little confusing. The text in question says this:
"Password aliasing is not present just for external resources, but it can
be used to protect the content of the password file which contains
administration and master password for using instead of typing the password
when the asadmin interactively asks for it. We can simply create a
password alias for administration password and for the master password and
use them in password file. Sample content for a password file with aliased
password is like.
AS_ADMIN_PASSWORD=${ALIAS=admin-alias}
AS_ADMIN_MAPPEDPASSWORD=${ALIAS=master-alias}"
(The confusing part is that Masoud has said "master" everywhere, but then
the line that uses the master-alias is actually AS_ADMIN_MAPPEDPASSWORD. I
didn't think mapped passwords (used by the create-connector-security-map
command, as mentioned here:
http://docs.oracle.com/cd/E18930_01/html/821-2433/asadmin-1m.html) had
anything to do with the master password.)
Anyway, assuming this was a typo and AS_ADMIN_MAPPEDPASSWORD should have
been AS_ADMIN_MASTERPASSWORD, I thought the master password was what
encrypted the password store in the first place. So the article says (with
the corrected (assumed) typo) I could do:
AS_ADMIN_MASTERPASSWORD=${ALIAS=master-alias}
...but in order for the asadmin command line utility to even process this
alias it...would have to know the master password, right? (I guess there
would be no HARM in doing this, it would just be redundant.)
Thanks for verifying my understanding here. I just like to know how the
magic works. :-)
Best,
Laird
--
http://about.me/lairdnelson