3 Replies Latest reply on Feb 9, 2011 1:25 PM by ron_sigal

Encrypt SSL KeyStorePassword in remoting-sslbisocket-service.xml

massios Dec 17, 2010 5:33 AM

Hello,

I am using jboss 5.1 GA.

I would like to encrypt the ssl keystore password in the remoting-sslbisocket-service.xml of jboss messaging. This xml contains the following mbean configuration. This xml of jboss messaging is using the org.jboss.remoting.securirity.SSLSocketBuilder mbean of jboss remoting. From what I can see here http://docs.jboss.org/jbosasremoting/docs/api/org/jboss/remoting/security/SSLSocketBuilder.html there is no way to encrypt the keystore, trustsore passwords. Am I correct? Has anyone tried extending the SSLSocketBuilder class to provide such functionality? I am considering doing this myself.

Thanks,

Nikos.

mbean  code="org.jboss.remoting.security.SSLSocketBuilder" name="jboss.messaging:service=SocketBuilder,type=SSL" display-name="SSL  Server Socket Factory Builder">

- <!--
           IMPORTANT - If making ANY customizations, this MUST be set to false.
           Otherwise, will used default settings and the following attributes will be ignored.
      
  -->

  <attribute name="UseSSLServerSocketFactory">false</attribute>

- <!--
 This is the url string to the key store to use 
  -->

  <attribute name="KeyStoreURL">${jboss.server.home.url}/conf/ssl/server.keystore</attribute>

- <!--
 The password for the key store 
  -->

  <attribute name="KeyStorePassword">MY_PASSWORD_IS_HERE</attribute>

- <!--
 The password for the keys (will use KeystorePassword if this is not set explicitly. 
  -->
- <!--
          <attribute name="KeyPassword">secureexample</attribute>
  -->
- <!--
 The protocol for the SSLContext. Default is TLS. 
  -->

  <attribute name="SecureSocketProtocol">TLS</attribute>

- <!--
 The algorithm for the key manager factory.  Default is SunX509. 
  -->

  <attribute name="KeyStoreAlgorithm">SunX509</attribute>

- <!--
           The type to be used for the key store.
           Defaults to JKS. Some acceptable values are JKS (Java Keystore - Sun's keystore format),
           JCEKS (Java Cryptography Extension keystore - More secure version of JKS), and
           PKCS12 (Public-Key Cryptography Standards #12 keystore - RSA's Personal Information
           Exchange Syntax Standard). These are not case sensitive.
      
  -->

  <attribute name="KeyStoreType">JKS</attribute>

  </mbean>

1. Encrypt SSL KeyStorePassword in remoting-sslbisocket-service.xml

ron_sigal Jan 21, 2011 11:41 PM (in response to massios)

Hi Nikos,

Yes, you are right that there's no provision for encrypting the keystore and truststore passwords. I suppose you could subclass SSLSocketBuilder and override setKeyStorePassword(). Then you wouldn't have to recreate jboss-remoting.jar.

-Ron
Actions
2. Encrypt SSL KeyStorePassword in remoting-sslbisocket-service.xml

massios Feb 9, 2011 1:16 PM (in response to ron_sigal)

Hello Ron,

This is my guess too of what we have to do. I haven't got round to it yet to test it but my guess is this will work.

Do you know by any chance if EAP has this feature? Will I be reimplementing something that EAP has?

Nikos
Actions
3. Encrypt SSL KeyStorePassword in remoting-sslbisocket-service.xml

ron_sigal Feb 9, 2011 1:25 PM (in response to massios)

Hi Nikos,

EAP doesn't have anything like that specific to to SSLSocketBuilder. As for any other password encryption facilities, I don't know the answer. I would try posing the question on one of the AS forums, say Installation, Configuration & Deployment.

-Ron
Actions

Go to original post