0 Replies Latest reply on Mar 25, 2013 9:51 AM by jicken

    mod_cluster SSL setup/implementation (JBoss AS --> httpd)

    jicken

      Hi,

       

      I have little problems with how the password attribute of the ssl element in the JBoss AS7 modcluster subsystem is used.

       

      Let's say we already have a truststore defined using system properties:

       

      <system-properties>

      <property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/certs/myCA.jks"/>

      <property name="javax.net.ssl.trustStorePassword" value="mypasswd"/>

      </system-properties>

       

      In addition I have different keystores for the client certificates with different passwords.

       

      If the password is used in the subsystem config, ModClusterSubsystemAdd.java (as shown below) will overwrite my settings which will lead to exceptions b/c my truststore cannot be read anymore.

       

      if (password.isDefined()) {

      config.setSslTrustStorePassword(password.asString());

      config.setSslKeyStorePassword(password.asString());

      }

       

      This fact gives me two options:

       

      1. I will set a password in the ssl element

       

      This means I have to duplicate my already existing CA truststore and use the same password I am using for my client certificate keystore.

       

       

      2. I do not set a password.

       

      My truststore can be read w/o modification, BUT my keystore has to use the default "changeit" password which needs considering due to security implications.

       

      This is in ModClusterConfig.java

       

      private String sslKeyStorePassword = "changeit";

       

       

      What I'd like to discuss is:

       

      1. Guard the truststore password set in ModClusterSubsystemAdd.java

       

      if (System.getProperty("javax.net.ssl.trustStorePassword") == null) {

           config.setSslTrustStorePassword(password.asString());

      }

       

      2. use the javax.net.ssl.keyStore* system properties like it's done for the javax.net.ssl.trustStore* ones

       

      private String sslKeyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword");

       

      What do you think?

       

      Thx,

       

      Torben