0 Replies Latest reply on Mar 25, 2013 9:51 AM by jicken

    mod_cluster SSL setup/implementation (JBoss AS --> httpd)




      I have little problems with how the password attribute of the ssl element in the JBoss AS7 modcluster subsystem is used.


      Let's say we already have a truststore defined using system properties:



      <property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/certs/myCA.jks"/>

      <property name="javax.net.ssl.trustStorePassword" value="mypasswd"/>



      In addition I have different keystores for the client certificates with different passwords.


      If the password is used in the subsystem config, ModClusterSubsystemAdd.java (as shown below) will overwrite my settings which will lead to exceptions b/c my truststore cannot be read anymore.


      if (password.isDefined()) {





      This fact gives me two options:


      1. I will set a password in the ssl element


      This means I have to duplicate my already existing CA truststore and use the same password I am using for my client certificate keystore.



      2. I do not set a password.


      My truststore can be read w/o modification, BUT my keystore has to use the default "changeit" password which needs considering due to security implications.


      This is in ModClusterConfig.java


      private String sslKeyStorePassword = "changeit";



      What I'd like to discuss is:


      1. Guard the truststore password set in ModClusterSubsystemAdd.java


      if (System.getProperty("javax.net.ssl.trustStorePassword") == null) {




      2. use the javax.net.ssl.keyStore* system properties like it's done for the javax.net.ssl.trustStore* ones


      private String sslKeyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword");


      What do you think?