0 Replies Latest reply on Sep 12, 2013 5:21 PM by Jeff Lavezzo

    JBoss 7 Clear-Text Keystore password!

    Jeff Lavezzo Newbie

      My data store connection password is not in clear-text: http://middlewaremagic.com/jboss/?p=1026

      But my keystore password IS.  This is a problem for customers, especially those running our system on Windows where they can't have reliable file permissions.

       

      Previous versions of JBoss recognized this was a problem:

      EncryptKeystorePasswordInTomcatConnector

       

      Acceptable solutions were implemented:

      https://issues.jboss.org/browse/JBAS-8353?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

       

      But those aren't available in JBoss 7.  https://docs.jboss.org/author/display/AS71/Admin+Guide#AdminGuide-%7B%7B%3Cssl%2F%3E%7D%7D

       

      Vault is overkill and frankly just doesn't work, in our testing at least.  We need command line options for changing passwords that don't require CS degrees.  And we need it to not crash.  We can't move to EAP 6 for this release.

       

      This solution used in Jetty would be perfect: http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords

      Base64 encoding is just obfuscated enough for our customers.