qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <David...@ubs.com>
Subject RE: How to encrypt ssl keystore password in config.xml
Date Tue, 11 Dec 2012 18:09:26 GMT
Hi, Robbie, 

JMX is not our concern yet. I will keep this on file for reference in
the future. 

About "javax.net.ssl properties will only influence the SSL behaviour of
the JMX interface", so the messaging port, we should use configuration
in connection URL or in config.xml section <connection>.<ssl>, with
configuration in URL preceding that in config.xml? 

Thanks, 
David

-----Original Message-----
From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com] 
Sent: Tuesday, December 11, 2012 7:04 AM
To: users@qpid.apache.org
Subject: Re: How to encrypt ssl keystore password in config.xml

Hi David,

Just to add to add to Phils email..

The javax.net.ssl properties will only influence the SSL behaviour of
the JMX interface, and not the messaging ports. For the latter you have
to specify them in the file one way or another.

The 'VM Summary' tab in JConsole has displayed the values of the
arguments used to set the SSL system properties on the JVM on every JDK
I have tried it on (though I admit to not having tried on > 1.6.0_31).
This applied both using the JMXConnectorServer started by the broker, or
to the platform JMXConnectorServer you can prompt the JVM to start itelf
by supplying the
com.sun.management.* system properties.

If you did want to set the password using the system property, you could
move the brokers MBeans out of the PlatformMBeanServer and into an
MBeanserver specific to the broker (by adding
<platform-mbeanserver>false</platform-mbeanserver> within the
<management>
element) which would mean that the platform mbeans (used for the
Threads, Memory, VM Summary etc information) would not be available to
people connecting to the brokers JMXConnectorServer and they would then
be unable to view the arguments used to start the JVM. The oppposite is
also true however, the broekrs MBeans would not be visible to people
viewing the PlatformMBeanServer contents using e.g. a JConsole local
'attach'
connection to start the management agent in the process, or a remote
connection to a JMXConnectorServer started via the com.sun.management.*
properties).

A completely different suggestion might be to investigate encryption at
the file/filesystem level, although this is essentially just moving the
problem to being how to securely provide the password needed to decrypt
that.

Robbie


On 11 December 2012 07:00, Phil Harvey <phil@philharveyonline.com>
wrote:

> Hi David,
>
> You can't exactly encrypt it, but you can avoid hard coding it. You 
> can refer to system properties in config.xml using the form
${mypassword}.
>
> Expose system properties to the broker before starting it like so:
>
> export QPID_OPTS='-Dmypassword=password1'
>
> I think the broker automatically picks up the value of system property

> javax.net.ssl.keyStorePassword but iirc this depends on the broker 
> version and whether you're setting it for messaging connections or for
management.
> I will check. By the way what is your brother version?
>
> A word of warning: anyone who can connect JConsole to the broker can 
> inspect system properties (possibly excluding 
> javax.net.ssl.keyStorePassword, but I'm not sure), so you should 
> consider ways of controlling access. The online broker documentation 
> describes how to apply authentication and authorisation to JMX access.
>
> Hope that helps,
> Phil
> On Dec 8, 2012 12:21 AM, <David.Hu@ubs.com> wrote:
>
> > **
> >
> > Hi, Guys,
> >
> > Is there a way to encrypt keystore password in ssl configuration in 
> > config.xml?
> >
> > David
> >
> > *David Hu*
> > UBS, Group Technology Platform Service
> > 1-201-318-7435
> > ChatID: huda
> >
> >
> > Visit our website at http://www.ubs.com
> >
> > This message contains confidential information and is intended only 
> > for the individual named.  If you are not the named addressee you 
> > should not disseminate, distribute or copy this e-mail.  Please 
> > notify the sender immediately by e-mail if you have received this 
> > e-mail by mistake and delete this e-mail from your system.
> >
> > E-mails are not encrypted and cannot be guaranteed to be secure or 
> > error-free as information could be intercepted, corrupted, lost, 
> > destroyed, arrive late or incomplete, or contain viruses.  The 
> > sender therefore does not accept liability for any errors or 
> > omissions in the contents of this message which arise as a result of
e-mail transmission.
> > If verification is required please request a hard-copy version.  
> > This message is provided for informational purposes and should not 
> > be construed as a solicitation or offer to buy or sell any 
> > securities or related financial instruments.
> >
> >
> > UBS reserves the right to retain all messages. Messages are 
> > protected and accessed only in legally justified cases.
> >
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For 
> > additional commands, e-mail: users-help@qpid.apache.org
> >
>
Visit our website at http://www.ubs.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.
	
E-mails are not encrypted and cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses.  The sender 
therefore does not accept liability for any errors or omissions in the 
contents of this message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities 
or related financial instruments.

 
UBS reserves the right to retain all messages. Messages are protected
and accessed only in legally justified cases.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message