0 Replies Latest reply on Jul 3, 2013 7:09 AM by Andreas Illg

    how to avoid plain text keystore passwords in jboss-cli.xml?

    Andreas Illg Newbie

      I am using the jboss-cli-client.jar on my jenkins machine to remotely deploy whatever jenkins has built.

      The communication on port 9443 is ssl-encrypted and authenticated with self-signed certificates on both ends.

      Standalone.xml provides the ${VAULT::...} mechanism to encrypt the passwords for the keystore and truststore.

      On the client side this ssl configuration is stored in jboss-cli.xml but from looking at the schema


      I don't see any similar mechanism to encrypt my keystore and truststore passwords.

      (no <vault> element).


      So how can I avoid plain text passwords in the jboss-cli.xml?


      I tried to not specify <keyStorePassword> and <trustStorePassword> and use the system properties

      -Djavax.net.ssl.keyStorePassword=Gdesefwe and -Djavax.net.ssl.trustStorePassword=Tr3waqEq

      described here


      but this only leads to a null pointer exception (not specifiying the tags) or an "invalid password" error (empty tags),

      so they don't seem to be honored.


      Even if they work I would have to specify them as shell environment variables since the command line arguments can be seen by anyone who is allowed to use ps.

      I thought I can somehow hide the keystore/truststore passwords using the jenkins "Mask Passwords" plugin.

      But how?