On 3/20/2012 1:18 PM, Laird Nelson wrote:
> Finally spent a good chunk of time and sorted out the word stew around
> admin passwords, mapped passwords, user passwords, password files,
> password aliases, etc. etc.
>
> If I'm understanding correctly, in any configuration or password file
> anywhere (that I might supply to asadmin via the --password file
> option), or in arguments passed to, say, create-jdbc-connection-pool,
> I can substitute tokens of the form:
>
> ${ALIAS=some-password-alias-name}
>
> ...where I would otherwise simply put a plaintext password value, and
> assuming that I've created a password alias (using asadmin
> create-password-alias some-password-alias-name) and set its value to
> the "real" password, then the "real" password will be decrypted and
> used instead, as though it had been typed directly into the file
> instead of the ${ALIAS=some-password-alias-name} token.
>
> Is this look-up-the-real-value-from-an-encrypted-store functionality
> tied to certain hard-wired properties (e.g. ones named "password",
> or...who knows), or is it a general-purpose substitution mechanism?
It is a general-purpose substitution mechanism that works on any
attribute in the domain.xml. If you are interested in the details, there
is a GlassFish source file called TranslatedConfigView.java that does
the substitution.
>
> Could I, for example, use it for hostnames (no idea why I would; just
> curious as to the mechanism involved)?
Yes.
> Could I, for example, set up a JDBC connection pool whose databaseName
> property was set to ${ALIAS=some-database-name-alias}?
Yes.
> Or does the aliasing mechanism somehow "know" about "password"
> properties and is only invoked then?
No.
Note that alias substitution has to be for the whole value, i.e.,
value="abc${ALIAS=analias}xyz"
will not work.
>
> The other question I had was more chicken-and-egg related.
>
> This article
> (http://kalali.me/learning-glassfish-v3-command-line-administration-interface-cli/)
> indicates that one could set up password aliases for use inside
> password files.
>
> So instead of typing this in a passwords.txt file somewhere:
>
> AS_ADMIN_ADMINPASSWORD=fred
>
> ...I could do this:
>
> AS_ADMIN_ADMINPASSWORD=${ALIAS=flintstone}
>
> ...and assuming I created a password alias whose name was flintstone
> and whose value was fred, then everything would just work.
>
> The article also indicated I could do this with the master password.
> (Well, actually it was a little confusing. The text in question says
> this:
>
> "Password aliasing is not present just for external resources, but it
> can be used to protect the content of the password file which contains
> administration and master password for using instead of typing the
> password when the asadmin interactively asks for it. We can simply
> create a password alias for administration password and for the master
> password and use them in password file. Sample content for a password
> file with aliased password is like.
>
> |AS_ADMIN_PASSWORD=${ALIAS=admin-alias}|
>
> |AS_ADMIN_MAPPEDPASSWORD=${ALIAS=master-alias}"|
>
>
> (The confusing part is that Masoud has said "master" everywhere, but
> then the line that uses the master-alias is actually
> AS_ADMIN_MAPPEDPASSWORD. I didn't think mapped passwords (used by the
> create-connector-security-map command, as mentioned here:
> http://docs.oracle.com/cd/E18930_01/html/821-2433/asadmin-1m.html) had
> anything to do with the master password.)
>
> Anyway, assuming this was a typo and AS_ADMIN_MAPPEDPASSWORD should
> have been AS_ADMIN_MASTERPASSWORD, I thought the master password was
> what encrypted the password store in the first place. So the article
> says (with the corrected (assumed) typo) I could do:
>
> AS_ADMIN_MASTERPASSWORD=${ALIAS=master-alias}
>
> ...but in order for the asadmin command line utility to even process
> this alias it...would have to know the master password, right? (I
> guess there would be no HARM in doing this, it would just be redundant.)
Yes, you are correct. The two passwords that cannot be aliased in a
password file are the AS_ADMIN_PASSWORD and AS_ADMIN_MASTERPASSWORD,
because you have to authenticate with the server (the first one) and be
able to open the domain-passwords file (the second one) in order to do
password aliasing.
Tom
>
> Thanks for verifying my understanding here. I just like to know how
> the magic works. :-)
>
> Best,
> Laird
>
> --
> http://about.me/lairdnelson
>