0 Replies Latest reply on Jan 6, 2011 4:32 AM by martin.hynar

    Masking password for SSL configuration

    martin.hynar
    martin.hynar Jan 6, 2011 4:32 AM

      Hello everyone,

       

      I am fighting with problem that I need to mask password in SSL configuration for JMS (but, it will be the same for any other use). I have the following configuration now:

       

      <mbean code="org.jboss.remoting.security.SSLSocketBuilder"
          name="jboss.messaging:service=SocketBuilder,type=SSL"
          display-name="SSL Server Socket Factory Builder">
      <!--
           IMPORTANT - If making ANY customizations, this MUST be set to false.
           Otherwise, will used default settings and the following attributes will be ignored.
      -->
      <attribute name="UseSSLServerSocketFactory">false</attribute>

      <!-- The protocol for the SSLContext. Default is TLS. -->
      <attribute name="SecureSocketProtocol">TLS</attribute>
      
      <!-- This is the url string to the key store to use -->
      <attribute name="KeyStoreURL">${jboss.server.config.url}/keystore</attribute>

      <!-- The password for the key store -->
      <attribute name="KeyStorePassword">password</attribute>

      <!-- The password for the keys (will use KeystorePassword if this is not set explicitly. -->
      <!--attribute name="KeyPassword">secureexample</attribute-->

      <!-- The algorithm for the key manager factory.  Default is SunX509. -->
      <attribute name="KeyStoreAlgorithm">SunX509</attribute>

      <!-- The type to be used for the key store. -->
      <attribute name="KeyStoreType">JKS</attribute>
</mbean>

       

      However, I am not happy from the plain text password dirrectly written to the configuration file. What I would invite here is one of the following approaches:

       

      1. Masked password, as recommended for JMS sucker password (JBoss Security Guide, chapter 16)
      2. Encrypted database password as possible with org.jboss.resource.security.SecureIdentityLoginModule in login-config.xml (JBoss Security Guide, chapter 17)
      3. Encrypted, file based password as possible in jbossweb server configuration (however, this is only security by obscurity which is not the right one). (Details in JBoss Security Guide, chapter 18).

       

      Does somebody know, how to secure the password in SSL config to avoid plan text form? And if possible, also in jbossweb, to avoid security by obscurity.

       

      thanks, Martin