Added a blog post about adding integrity checking to an existing filesystem realm using the elytron tool #2037
Conversation
PrarthonaPaul
force-pushed
the
develop
branch
2 times, most recently
from
af3a853 to
a269bf5
Compare
PrarthonaPaul
changed the title
PrarthonaPaul
force-pushed
the
develop
branch
2 times, most recently
from
2f64fce to
4cd6d7a
Compare
| :toc: macro | ||
| :toc-title: | ||
|
|
||
| WildFly 27 included the ability to add integrity on FileSystem realms. This uses an asymmetric keyPair that has a private and public key to secure the filesystem realm. In the filesystem realm, each identity will be signed using the private key. This makes it possible to verify that identities in the realm haven't been tampered with. |
There was a problem hiding this comment.
s/integrity on FileSystem realms/integrity checking support to filesystem realms
|
|
||
| toc::[] | ||
|
|
||
| https://wildfly-security.github.io/wildfly-elytron/blog/filesystem-integrity/[A previous blog post] demonstrates how to create a filesystem realm and secure it using the elytron subsystem. This blog post will demonstrate how to take an existing filesystem realm and add integrity checking to it using the WildFly Elytron Tool. In this post we will go through an example of converting an unencrypted filesystem realm to one with integrity enabled and then we will try accessing a web application that is secured with the new filesystem realm. |
There was a problem hiding this comment.
s/create a filesystem realm and secure it using the elytron subsystem/create a filesystem realm with encryption enabled using the Elytron subsystem
There was a problem hiding this comment.
I think it would be good to move this block above the toc so it's part of the intro section.
There was a problem hiding this comment.
Fixed!
I changed it to "demonstrates how to enable integrity support on a filesystem realm using the Elytron subsystem" since I was talking about this (https://wildfly-security.github.io/wildfly-elytron/blog/filesystem-integrity/) blog.
| Now we can deploy and access the application and log in using the credentials for quickstartUser. However, without any integrity checking, anyone with access to the contents of the filesystem realm can tamper with it. So, let's add integrity checking for this filesystem realm. | ||
|
|
||
| == Adding Integrity Checking | ||
| In order to access the elytron tool, we can use the following command: |
There was a problem hiding this comment.
To create a new filesystem realm based off our existing one but with the integrity support enabled, we can use the following Elytron Tool command:
| ./bin/elytron-tool.sh filesystem-realm-integrity --input-location WILDFLY_HOME/standalone/configuration/fs-realm --output-location WILDFLY_HOME/standalone/configuration/fsRealmWithIntegrity --keystore PATH/TO/KEYSTORE/FILE --password password --key-pair key --summary | ||
| ``` | ||
|
|
||
| Here the `input-location` option refers to the path to the filesystem realm directory, the `output-location` refers to the new filesystem realm to be created. The `keystore` option specifies the location for the keystore file, `password` refers to the password for the keystore and `key-pair` refers to the alias of the key that uniquely identified the key pair we are looking for inside the keystore. The `summary` option is added so that when the new filesystem is created, we can see the details of what is being done. The keystore can be created in one of two ways: |
There was a problem hiding this comment.
input-location option refers to the path to the existing filesystem
|
|
||
| == Summary | ||
|
|
||
| This blog post shows how to add integrity checking to an existing filesystem realm using an asymmetrical keypair and the WildFly Elytron tool. We also looked at how we can convert multiple filesystem realms using the `bulk-convert` option. Please note that in addition to elytron-tool.sh, the WildFly package also comes with `elytron-tool.bat` and `elytron-tool.ps1` scripts. For more information on the different options available for the elytron-tool, you can use the `--help` option. To learn more about the filesystem-security-realm, please refer to the https://docs.wildfly.org/30/WildFly_Elytron_Security.html#filesystem-security-realm[WildFly documentation]. |
There was a problem hiding this comment.
s/the WildFly package/WildFly also ships with
There was a problem hiding this comment.
fixed!
Thanks for going through it and for adding the comments!
PrarthonaPaul
force-pushed
the
develop
branch
2 times, most recently
from
fc26857 to
fb1817f
Compare
|
|
||
| The successful login indicates that integrity has been configured correctly. | ||
|
|
||
| In order to further verify that these features are being used correctly we can navigate to the identity file and check the contents. The file should be located at WILDFLY_HOME/standalone/configuration/fs-realm/q/u/quickstartuser-<hashed username>.xml if the same filesystem realm and identity configuration was used. |
There was a problem hiding this comment.
Hi @PrarthonaPaul , I think this realm named fs-realm with path WILDFLY_HOME/standalone/configuration/fs-realm was not modified to have integrity check right? The identities with integrity check are in path WILDFLY_HOME/standalone/configuration/fsRealmWithIntegrity and not WILDFLY_HOME/standalone/configuration/fs-realm/q/u/...
There was a problem hiding this comment.
I mean if a person follows this blog post then the identities with integrity signature are in the fsRealmWithIntegrity subfolder
There was a problem hiding this comment.
oh yes, you are right.
I have updated it. Thanks for catching it!
|
|
||
| == Summary | ||
|
|
||
| This blog post has shown how to add integrity checking to an existing filesystem realm using an asymmetrical key pair and the WildFly Elytron tool. We also looked at how we can convert multiple filesystem realms using the `bulk-convert` option. Please note that in addition to elytron-tool.sh, WildFly also ships with `elytron-tool.bat` and `elytron-tool.ps1` scripts. For more information on the different options available for the elytron-tool, you can use the `--help` option. To learn more about the filesystem-security-realm, please refer to the https://docs.wildfly.org/30/WildFly_Elytron_Security.html#filesystem-security-realm[WildFly documentation]. |
There was a problem hiding this comment.
Just a minor, s/filesystem-security-realm/filesystem-realm or s/filesystem-security-realm/filesystem security realm
There was a problem hiding this comment.
Fixed!
Thank you!
PrarthonaPaul
force-pushed
the
develop
branch
2 times, most recently
from
9364c2a to
7562c9b
Compare
| title: 'Adding Support for Integrity Checking to an Existing | ||
| Filesystem Realm' | ||
| date: 2023-10-24 | ||
| tags: filesystem integrity filesystem-realm |
There was a problem hiding this comment.
@PrarthonaPaul Just a total minor, we can add the tag tool as well, so it shows here: https://prarthonapaul.github.io/wildfly-elytron/blog/tag/tool/
There was a problem hiding this comment.
Fixed!
Thank you for pointing it out.
PrarthonaPaul
force-pushed
the
develop
branch
2 times, most recently
from
6bbe001 to
d93271b
Compare
|
Thanks for the updates @PrarthonaPaul! @Skyllarr Please review, thanks! |
| layout: post | ||
| title: 'Adding Support for Integrity Checking to an Existing | ||
| Filesystem Realm' | ||
| date: 2023-10-30 |
There was a problem hiding this comment.
@PrarthonaPaul just a minor, please put a today's date here and I will merge. Thanks!
…system realm using the elytron tool
PrarthonaPaul
force-pushed
the
develop
branch
from
d93271b to
7a29e6e
Compare
https://prarthonapaul.github.io/wildfly-elytron/blog/filesystem-integrity-elytron-tool/