Idea Details

Enhancement Request: Wildfly TrustStore - Remove Hard-coded Password to View TrustStore For Startup

Last activity 25 days ago
Alan Baugher's profile image
07-22-2019 12:17 PM


1- The JDK JKS truststore requires a password to add / update the objects within.
2- The JDK JKS truststore does NOT require a password to view the objects.
- However, a password prompt will appear, but the API for the JKS will accept a NULL entry.

CA Identity Manager r14.1 stores the JKS password in clear-text within ca-standalone-full-ha.xml

<keystore path="/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv" keystore-password="changeit"/>

Also impacts CA Identity Governance and CA Identity Portal

-  Audit, security, and compliance risk.


- Update the CA Identity Suite solution - CA Identity Manager, CA Identity Governance, CA Identity Portal to startup the solutions without the "hard-coded" default password of "changeit"   (or other password if changed by an administrator) from the Wildfly configuration file:   ca-standalone-full-ha.xml

1)  Recommendation -  Use the API to send a NULL to the VIEW of the truststore.

Example to showcase that the truststore does NOT require a password to VIEW data.
keytool -v -list -storetype jks -keystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv < /dev/null

2)  Alternative:   Document process and/or add feature to use a local file to mask the password.

Example to use local file to mask the password.
echo changeit > /tmp/secure_filename
keytool -v -list -storetype jks -keystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv -storepass:file /tmp/secure_filename


25 days ago

Hi Alan,

Do you think following links are useful? To use vault and masked pwd in standalone.xml:


27 days ago


REF #1.     CA PIM (aka Access Control aka Control Minder) documentation.
Description of the process used to encrypt the keystore password.
ControlMinder used the CA IdentityMinder EAR to provide a new UI for this solution.    CA IdentityMinder is the earlier version of CA IdentityManager; and now Layer7 Identity Management.


14. Add the following mbean between the <server> and </server> tags:
<mbean code="" name="">
<arg type="java.lang.String" value="encrypt-keystore-password"></arg>
<attribute name="Salt">welcometojboss</attribute>
<attribute name="IterationCount">13</attribute>

REF #2:    Encrypting the keystore password in Tomcat (similar to reference #1)