activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Bertram <jbert...@redhat.com>
Subject Re: NettyConnector explicitly initializes SSLContext instead of using default
Date Wed, 07 Jun 2017 14:15:15 GMT
I just noticed that you said you were attempting to connect to Artemis in Wildfly, and I believe
that's going to be a 1.5.x version (or perhaps earlier) without this new feature.

FWIW whether you set the values in system properties on the command line or programmatically
or whether you configure the default SSL context the keystore and truststore passwords are
going to reside on the machine in plain text.  I'm not sure there's any way to get around
that.


Justin

----- Original Message -----
From: "Justin Bertram" <jbertram@apache.org>
To: users@activemq.apache.org
Sent: Tuesday, June 6, 2017 3:35:11 PM
Subject: Re: NettyConnector explicitly initializes SSLContext instead of using default

What version are you using?  There is an option in 2.1 to use the default SSL context.  See
https://issues.apache.org/jira/browse/ARTEMIS-590.


Justin

----- Original Message -----
From: "mevans7" <mark.evans@morpho.com>
To: users@activemq.apache.org
Sent: Tuesday, June 6, 2017 3:17:43 PM
Subject: NettyConnector explicitly initializes SSLContext instead of using default

BOTTOM LINE: 
I need a secure way to initialize the SSLContext in
org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnector.  (No
keystore password in system properties.) 

USE CASE: 
I'm trying to configure a client to read JMS messages from Wildfly using
SSL.  This works ONLY if I specify these either with -D or
System.setProperty(): 

-Djavax.net.ssl.keyStore=<my-keystore-file-path>
-Djavax.net.ssl.keyStorePassword=<my-key-pass>
-Djavax.net.ssl.trustStore=<my-truststore-file-path>
-Djavax.net.ssl.trustStorePassword=<my-trust-pass>

My problem is this: for security purposes, I cannot put the password in the
System properties.  (These are too easy to dump out using various tools.) 

So, I programatically initialize the default SSLContext.  BUT,
NettyConnector does not use the default SSLContext.  It explicitly reads the
above properties and creates its own SSLContext. 

QUESTION: 
- How can I securely pass the truststore and keystore passwords to
NettyConnector? 
- Why doesn't NettyConnector just use the default SSLContext, which can be
configured with the same system parameters as above? 



--
View this message in context: http://activemq.2283324.n4.nabble.com/NettyConnector-explicitly-initializes-SSLContext-instead-of-using-default-tp4727120.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Mime
View raw message