Using a batch file and a cli file to update and encrypt a password in Wildfly 26.0.0 Final

Question

To get this exercise done, I have to go, modify and encrypt (given user's input) the password in the security / password part of the standalone.xml.

My initial approach was something like this, but I was always met with errors like "Duplicate resources", "No resource definition is registered for address" and others.

@echo off

REM Read user input for new database password
set /p new_password="Enter new database password: "

REM Check if the alias exists
echo /subsystem=elytron/credential-store=mycredstore:read-resource(recursive=true) > update_password.cli
REM Remove the newDbPassword alias from the credential store
echo /subsystem=elytron/credential-store=mycredstore/alias=newDbPassword:remove >> update_password.cli
REM Encrypt new password and add to credential store
echo /subsystem=elytron/credential-store=mycredstore:add-alias(alias=newDbPassword, secret-value=%new_password%) >> update_password.cli
REM Update dbPassword alias to reference new password
echo /subsystem=elytron/credential-store=mycredstore/alias=dbPassword:remove >> update_password.cli
echo /subsystem=elytron/credential-store=mycredstore:add-alias(alias=dbPassword, credential-reference={store=mycredstore, alias=newDbPassword}) >> update_password.cli
REM Remove the newDbPassword alias from the credential store
echo /subsystem=elytron/credential-store=mycredstore/alias=newDbPassword:remove >> update_password.cli
C:\Wildfly\bin\jboss-cli.bat --connect --file=update_password.cli

REM Restart WildFly server
net stop WildFly
net start WildFly

I'm not that sharp in Wildfly, so it's turning into a really difficult thing to finish.

Answer 1

I'll mostly pull from the credential store Elytron docs.

• For the script itself, it's easier to debug when run as a batch. You can echo batch at the start and run-batch at the end, and if there is an error it will indicate which line caused it (example file). Additionally, any changes will be rolled back if something fails, so you don't have a broken state.
• To check if an alias exists, use the command in the external elytron-tool.bat, in the same folder as jboss-cli.bat (docs). This can't be used in a CLI script, but could be parsed for a batch script (non-zero return code when it doesn't exist). I'll include the command below.
• credential-store=?:add-alias doesn't accept expressions as input (model reference), so you can't reference another value in the credential store. Even if it did work, the commands to update the alias would theoretically encrypt the values twice, causing other references to break. It's easier to just replace the dbPassword value directly.
• Aliases don't appear as nested resources within a credential store, but are more like attributes. There is a remove-alias command for doing so.

Here's a modified script that should work better (although I'm not as familiar with batch so they might be some errors):

@echo off

REM Read user input for new database password
set /p new_password="Enter new database password: "

REM Check if the alias exists
C:\Wildfly\bin\elytron-tool.bat credential-store --location C:\PATH\TO\mycredstore.cs --password credStorePassword --exists DbPassword
if %ERRORLEVEL% EQU 6 (
echo Password not updated, alias DbPassword does not exist.
exit /b 6
)
if %ERRORLEVEL% NEQ 0 (
echo Unexpected error, password not updated
exit /b %ERRORLEVEL%
)

REM Run CLI commands as a batch
echo batch > update_password.cli
REM Update DbPassword alias to reference new password
echo /subsystem=elytron/credential-store=mycredstore:remove-alias(alias=DbPassword) >> update_password.cli
echo /subsystem=elytron/credential-store=mycredstore:add-alias(alias=DbPassword, secret-value=%new_password%) >> update_password.cli
echo run-batch >> update_password.cli
C:\Wildfly\bin\jboss-cli.bat --connect --file=update_password.cli
REM Restart WildFly server
net stop WildFly
net start WildFly