Password Aliases Overview

By default, passwords within Payara Server are treated like any other property and are stored in plaintext. Passwords stored in plaintext are a security risk, as you can directly read them, unencrypted and unobstructed.

A password alias allows you to have a plaintext reference to an encrypted password stored on the server, with the alias being used wherever the password is needed.

Password aliases do not trim leading or trailing whitespace, they are exactly as you input them via the Admin Console, CLI or password file.

Using a password alias within the Admin Console

To use a password alias, navigate to any configuration view where you would have previously entered a password in plaintext format:

Password in plain text

In place of the password, you can enter an alias which corresponds to the password in the form: ${ALIAS=<password-alias-name>}:

Placeholder for Password Alias

To create a password alias from the admin console, read the instructions detailed here

Using a password alias on the command line

On the command line, when using asadmin commands where you would previously have entered a password, you can instead enter the password placeholder ${ALIAS=<example-alias-name>} to avoid having passwords stored in the configuration in plain text.

Here is an example of setting the user’s password for a JDBC connection pool:

asadmin> create-jdbc-connection-pool [...] --property password=${ALIAS=<example-alias-name} [...]

To create a password alias from command line, read the instructions detailed here.

MicroProfile Config support

Password aliases can also be accessed using MicroProfile Config, as detailed here.

Managing Password Aliases through the Admin Console

Here are instructions on managing password aliases through the web administration console.

Creating a password alias

  1. To create a new password alias for the domain, select Domain on the page tree, then select the Password Aliases tab and click the New button:

    Create new password alias
  2. On the next page, enter the name of the alias, and the password, twice:

    Password alias creation
  3. Finally, press the OK button to create your new alias:

    Password alias created

Modifying a password alias

To modify an existing password alias, select it on the Password Aliases page. On the Edit Password Alias page you are able to change the entered password.

Modifying password alias

Deleting a password alias

To delete a password alias, go to the Password Aliases page, tick the checkbox of the password alias you wish to delete and then press the Delete button:

Deleting password alias

Asadmin Commands for Managing Password Aliases

The following is a detailed list of the administration commands that can be used to interact and configure password aliases.

create-password-alias

Usage

asadmin> create-password-alias <alias-name>

Aim

Creates a new password alias using the provided name. The user is then prompted to enter the associated password twice. Password Aliases can also be created non-interactively using a password file.

Command Options

Options Type Description Default Mandatory

--passwordfile

String

Create password from absolute path to file

No

Example

Running the command will display output similar to the example below:

asadmin> create-password-alias example-alias-name
Enter the alias password>
Enter the alias password again>
Command create-password-alias executed successfully.

delete-password-alias

Usage

asadmin> delete-password-alias <alias-name>

Aim

Deletes the specified password alias and password from the server.

Command Options

There are no options available.

Example

Running the command will display output similar to the example below:

asadmin> delete-password-alias example-alias-name
Command delete-password-alias executed successfully.

list-password-aliases

Usage

asadmin> list-password-aliases

Aim

Lists the password aliases for the domain.

Command Options

There are no options available.

Example

Running the command will display output similar to the example below:

asadmin> list-password-aliases
example-alias-name
another-example-alias
Command list-password-aliases executed successfully.

update-password-alias

Usage

asadmin> update-password-alias <alias-name>

Aim

Updates the password associated with the given alias. Passwords can also be updated non-interactively using a password file.

Command Options

There are no options available.

Example

asadmin> update-password-alias example-alias-name
Enter the alias password>
Enter the alias password again>
Encrypted password for the alias example-alias-name updated successfully
Command update-password-alias executed successfully.