Password Aliases Overview
By default, passwords within Payara Server are treated like any other property and are stored in plaintext. Passwords stored in plaintext are a security risk, as you can directly read them, unencrypted and unobstructed.
A password alias allows you to have a plaintext reference to an encrypted password stored on the server, with the alias being used wherever the password is needed.
Using a password alias within the Admin Console
To use a password alias, navigate to any configuration view where you would have previously entered a password in plaintext format:
In place of the password, you can enter an alias which corresponds to the password in the form: ${ALIAS=<password-alias-name>}
:
To create a password alias from the admin console, read the instructions detailed here
Using a password alias on the command line
On the command line, when using asadmin
commands where you would previously have entered a password, you can instead enter the password placeholder ${ALIAS=<example-alias-name>}
to avoid having passwords stored in the configuration in plain text.
Here is an example of setting the user’s password for a JDBC connection pool:
asadmin> create-jdbc-connection-pool [...] --property password=${ALIAS=<example-alias-name} [...]
To create a password alias from command line, read the instructions detailed here.
MicroProfile Config support
Password aliases can also be accessed using MicroProfile Config, as detailed here.
Managing Password Aliases through the Admin Console
Here are instructions on managing password aliases through the web administration console.
Creating a password alias
-
To create a new password alias for the domain, select Domain on the page tree, then select the Password Aliases subtab and click the New button:
-
On the next page, enter the name of the alias, and the password, twice:
-
Finally, press the OK button to create your new alias:
Asadmin Commands for Managing Password Aliases
The following is a detailed list of the administration commands that can be used to interact and configure password aliases.
create-password-alias
- Usage
-
asadmin> create-password-alias <alias-name>
- Aim
-
Creates a new password alias using the provided name. The user is then prompted to enter the associated password twice. Password Aliases can also be created non-interactively using a password file.
delete-password-alias
- Usage
-
asadmin> delete-password-alias <alias-name>
- Aim
-
Deletes the specified password alias and password from the server.
list-password-aliases
- Usage
-
asadmin> list-password-aliases
- Aim
-
Lists the password aliases for the domain.