-
-
2. Re: Jopr Oracle Settings
So I found that the database information is stored in the rhq-server.properties file, but I still am looking for more information, so I guess I'll further describe my questions below:
1) Is the rhq server database information stored anywhere else?
2) Where is the rhq.server.database.password variable used in the code?
3) Is it possible to set any of these variables to be the output of a command by using backticks or the $(cmd) format?
Thanks,
Steven
-
3. Re: Jopr Oracle Settings
1 of 1 people found this helpful1) Is the rhq server database information stored anywhere else?
that's it. technically (if you are familiar with how JBossAS is started/configured), the
rhq-server.properties is passed into the JBossAS server's run script via the -P option, which
means all settings in there are set as system properties in the JBossAS VM.
2) Where is the rhq.server.database.password variable used in the code?
In the rhq-ds.xml file (the thing that sets up the datasource). Note, in our up coming release, we obfuscate that
db password found in the .properties file. see https://bugzilla.redhat.com/show_bug.cgi?id=535601
3) Is it possible to set any of these variables to be the output of a command by using backticks or the $(cmd) format?
No. As mentioned above, rhq-server.properties is a flat file that is passed to JbossAS via -P option - its simply
a name/value pair properties file, not a script and thus not run through a scripting engine.
If the question is about security, we recommend locking down this .properties file with appropriate UNIX file system
permissions You could grab a beta and also rely on obfuscation to help "hide" the password
(though clearly obfuscation isn't a hardened security mechanism - though it can help thwart accidental compromise).
Worst case, you could modify/customize the rhq-server.sh script to pass in some of these properties to run.sh via the -D
option that JBossAS supports and take out the values in the .properties file. I don't know anyone that had a need to do
this but I'm sure its doable. -
4. Re: Jopr Oracle Settings
Great! That last post was really helpful, I'm on the right track now. I want to remove the occurences of the rhq.server.database.password from rhq-ds.xml so that I do not need to use the rhq-server.properties file to store it in plain text
I've been asked to do something similar to this: http://community.jboss.org/wiki/EncryptKeystorePasswordInTomcatConnector, but I'm not quite sure how to apply it to this situation. I'm thinking that something along the lines of this article: http://community.jboss.org/wiki/encryptingdatasourcepasswords might be helpful to me as well, but I don't even want an encrypted password visible. I think I want to use something along the lines of java:/jaas/encrypt-keystore-password and create an mbean using KeyStoreType, KeyStoreURL and KeyStorePass as attributes.
Does anyone have any suggestions about how something like this might be done? I'm not quite sure how all the pieces fit together yet, so any help would be greatly appreciated.
Thanks,
Steven
-
5. Re: Jopr Oracle Settings
Let us know what you come up with. I think other RHQ users may also be interested in doing something similar.
-
6. Re: Jopr Oracle Settings
Similar to this: http://community.jboss.org/wiki/EncryptKeystorePasswordInTomcatConnector, if I create a connector in JOPR_HOME/jopr-server-2.3.1/jbossas/server/default/deploy/jboss-web.deployer/server.xml and a corresponding mbean in JOPR_HOME/jopr-server-2.3.1/jbossas/server/default/deploy/jboss-web.deployer/META-INF/jboss-service.xml, would there be a way to remove the passwords from the datasource file?
-
7. Re: Jopr Oracle Settings
Worst case, you could modify/customize the rhq-server.sh script to pass in some of these properties to run.sh via the -D
option that JBossAS supports and take out the values in the .properties file. I don't know anyone that had a need to do
this but I'm sure its doable.This could be a viable solution actually, but is it possible to do this in such a way that the properties being passed are not visible in the process table?
Thanks,
Steven
-
8. Re: Jopr Oracle Settings
Steven Bruce wrote:
Worst case, you could modify/customize the rhq-server.sh script to pass in some of these properties to run.sh via the -D
option that JBossAS supports and take out the values in the .properties file. I don't know anyone that had a need to do
this but I'm sure its doable.This could be a viable solution actually, but is it possible to do this in such a way that the properties being passed are not visible in the process table?
Thanks,
Steven
Okay, so I think I'm actually going to rule this option out unless anyone knows of a way to accomplish this. As far as I can tell, I can't get the datasource to read from an environment variable, and if I pass in the information as a JVM system property, then it's visible in the process table. If anyone else has any suggestions regarding this option, please let me know.
So, if no one has any ideas on that one, I think I'm heading back towards the direction of utilizing some sort of LoginModule, DataSourceFactory, or Mbean that would allow me to remove the password and call an external class to retrieve it. Does anyone know how to call a class from a datasource file?
Thanks,
Steven