qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robbie Gemmell <robbie.gemm...@gmail.com>
Subject Re: How to encrypt ssl keystore password in config.xml
Date Tue, 11 Dec 2012 22:21:11 GMT
Correct.

On 11 December 2012 22:02, <David.Hu@ubs.com> wrote:

> Ok, Robbie,
>
> Got it. Back to encrypt keystore password in <connection><ssl> section
> in config.xml, I guess it is not supported?
>
> David
>
> -----Original Message-----
> From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com]
> Sent: Tuesday, December 11, 2012 4:59 PM
> To: users@qpid.apache.org
> Subject: Re: How to encrypt ssl keystore password in config.xml
>
> The variable value can be passed in using -D system properties, but not
> as an environment variable (Phils example set the -D system property
> configuration by supplying it to the startup script via an environment
> variable the startup script uses to enable such configuration).
>
> Robbie
>
> On 11 December 2012 21:47, <David.Hu@ubs.com> wrote:
>
> > Hi, Robbie,
> >
> > Make sense.
> >
> > The ssl keystore/truststore/passwords in connection url is for client
> > side only.
> >
> > But for broker, the configuration should go in config.xml where the
> > variable can be used as per Phil and the value of the variables can be
>
> > passed in using -D or via environment variable.
> >
> > Again, I will leave JMX out of the scope at this point.
> >
> > Thanks,
> > David
> >
> > -----Original Message-----
> > From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com]
> > Sent: Tuesday, December 11, 2012 4:43 PM
> > To: users@qpid.apache.org
> > Subject: Re: How to encrypt ssl keystore password in config.xml
> >
> > Hi David,
> >
> > There seems to be a bit of confusion here.
> >
> > The brokers SSL configuration in relation to the messaging ports can
> > only be controlled using the <connector><ssl> elements in config.xml.
> > Phil was suggesting that you could use system properties (which will
> > be resolved at broker startup) in the config file rather than placing
> > the actual values in the config file. These system property could be
> > the standard SSL system properties, or any other name of your own
> choosing.
> > In this case anyone able to connect via JMX and view the contents of
> > the JVMs 'Platform'
> > MBeanServer (which is what gets used by default by the broker for its
> > MBeans and by the JVM itself for all its standard MBeans, and then
> > gets exposed via JMX either by the brokers JMXConnectorServer or the
> > JVMs own if is enabled at startup or activated by 'locally' attaching
> > JConsole etc as the user who started the process) would be able to
> > view the arguments used to start the JVM since one of the standard
> > MBeans exposes these (as used to populate the VM Summary tab in
> > JConsole), and those would include the system properties. There is one
>
> > way around that, as mentioned in my earlier email and further
> explained below [*].
> >
> > The ability to specify SSL options in the clients connection url (as
> > opposed to via the client JVMs SSL system properties) only influences
> > the clients SSL configuration, not the brokers. The keystore and
> > truststore configuration for the server and client side are entirely
> > independent. When the broker has an SSL certificate it needs a
> > keystore, and the client needs a truststore containing trust
> > information for that certificate (assuming it is not trusted at the
> JVM installation level).
> > When the broker additionionally requires client certificates be
> > presented then the client will also need a keystore to contain its
> > certificate, and the broker will then need a truststore containing
> > trust information relating to the client certificates (again assuming
> > they are not already trusted at the JVM installation level).
> >
> > Robbie
> >
> > [*] You could move the brokers MBeans out of the Platform MBeanServer
> > using the configuration I mentioned previously, which would prevent
> > people from being able to see the argument information (along with all
>
> > the Thread, Memory etc information) when connecting to the
> > JMXConnectorServer started by the broker. People connecting to the
> > JVMs own Platform JMXConnectorServer (which gets used when you have
> > started in the JVM using the com.sun.management.* options and then do
> a 'remote'
> > JConsole etc connection to the JMXConnectorServer, on that port, or
> > perform a 'local'
> > connection to a JVM with JConsole etc whereby a management agent is
> > injected in the running JVM using the Attach API) would still be
> > viewing the contents of the Platform MBeanServer and thus be able to
> > view that argument information, but would not be able to view the
> > brokers MBeans since they would now be in a separate MBeanServer.
> > Unless you start the JVM the com.sun.management.* options to enable
> > its platform JMXConnectorServer, the ability to access the Platform
> > JMXConnectorServer would only apply to the user who started the
> > broker, such that they can do a 'local' JMX connection with JConsole
> > etc, and they obviously already had acess to the argument information
> > anyway when starting the broker.
> >
> > On 11 December 2012 17:04, <David.Hu@ubs.com> wrote:
> >
> > > Hi, Phil,
> > >
> > > With another of the response, you seem have recommended two
> > > approaches
> >
> > > on doing this -
> > >
> > > 1. use system variable
> > >     (1) use java option -D to pass the value in
> > >     (2) export variable to pass in the value
> > >
> > > 2. Pass the keystore and password via connection URL (like your test
>
> > > case). It means that that the one passed in via connection URL
> > > overrides the one defined in config.xml, correct?
> > >
> > > For 1(1), the password will be exposed in Jconsole. For 1(2), the
> > > password will be in starting script.
> > >
> > > The better approach is 2 where we can programatically construct the
> > URL.
> > > The password can be passed-in in encrypted format and can be
> > > decrypted
> >
> > > when constructing URL.
> > >
> > > Still it seems there is no out-of-box solution, we need to write our
>
> > > own client (in the context of Synapse, we need to write our own
> > JMSListener.
> > > It goes back to my understanding before.
> > >
> > > Thanks for all the help.
> > >
> > > David
> > >
> > > -----Original Message-----
> > > From: philharveyonline@googlemail.com
> > > [mailto:philharveyonline@googlemail.com] On Behalf Of Phil Harvey
> > > Sent: Tuesday, December 11, 2012 2:00 AM
> > > To: users@qpid.apache.org
> > > Subject: Re: How to encrypt ssl keystore password in config.xml
> > >
> > > Hi David,
> > >
> > > You can't exactly encrypt it, but you can avoid hard coding it. You
> > > can refer to system properties in config.xml using the form
> > ${mypassword}.
> > >
> > > Expose system properties to the broker before starting it like so:
> > >
> > > export QPID_OPTS='-Dmypassword=password1'
> > >
> > > I think the broker automatically picks up the value of system
> > > property
> >
> > > javax.net.ssl.keyStorePassword but iirc this depends on the broker
> > > version and whether you're setting it for messaging connections or
> > > for
> >
> > > management.
> > > I will check. By the way what is your brother version?
> > >
> > > A word of warning: anyone who can connect JConsole to the broker can
>
> > > inspect system properties (possibly excluding
> > > javax.net.ssl.keyStorePassword, but I'm not sure), so you should
> > > consider ways of controlling access. The online broker documentation
>
> > > describes how to apply authentication and authorisation to JMX
> access.
> > >
> > > Hope that helps,
> > > Phil
> > > On Dec 8, 2012 12:21 AM, <David.Hu@ubs.com> wrote:
> > >
> > > > **
> > > >
> > > > Hi, Guys,
> > > >
> > > > Is there a way to encrypt keystore password in ssl configuration
> > > > in config.xml?
> > > >
> > > > David
> > > >
> > > > *David Hu*
> > > > UBS, Group Technology Platform Service
> > > > 1-201-318-7435
> > > > ChatID: huda
> > > >
> > > >
> > > > Visit our website at http://www.ubs.com
> > > >
> > > > This message contains confidential information and is intended
> > > > only for the individual named.  If you are not the named addressee
>
> > > > you should not disseminate, distribute or copy this e-mail.
> > > > Please notify
> > >
> > > > the sender immediately by e-mail if you have received this e-mail
> > > > by
> >
> > > > mistake and delete this e-mail from your system.
> > > >
> > > > E-mails are not encrypted and cannot be guaranteed to be secure or
>
> > > > error-free as information could be intercepted, corrupted, lost,
> > > > destroyed, arrive late or incomplete, or contain viruses.  The
> > > > sender therefore does not accept liability for any errors or
> > > > omissions in the
> > >
> > > > contents of this message which arise as a result of e-mail
> > > transmission.
> > > > If verification is required please request a hard-copy version.
> > > > This message is provided for informational purposes and should not
>
> > > > be construed as a solicitation or offer to buy or sell any
> > > > securities or related financial instruments.
> > > >
> > > >
> > > > UBS reserves the right to retain all messages. Messages are
> > > > protected and accessed only in legally justified cases.
> > > >
> > > >
> > > > ------------------------------------------------------------------
> > > > --
> > > > - To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > > > additional commands, e-mail: users-help@qpid.apache.org
> > > >
> > > Visit our website at http://www.ubs.com
> > >
> > > This message contains confidential information and is intended only
> > > for the individual named.  If you are not the named addressee you
> > > should not disseminate, distribute or copy this e-mail.  Please
> > > notify
> >
> > > the sender immediately by e-mail if you have received this e-mail by
>
> > > mistake and delete this e-mail from your system.
> > >
> > > E-mails are not encrypted and cannot be guaranteed to be secure or
> > > error-free as information could be intercepted, corrupted, lost,
> > > destroyed, arrive late or incomplete, or contain viruses.  The
> > > sender therefore does not accept liability for any errors or
> > > omissions in the
> >
> > > contents of this message which arise as a result of e-mail
> > transmission.
> > > If verification is required please request a hard-copy version.
> > > This message is provided for informational purposes and should not
> > > be construed as a solicitation or offer to buy or sell any
> > > securities or related financial instruments.
> > >
> > >
> > > UBS reserves the right to retain all messages. Messages are
> > > protected and accessed only in legally justified cases.
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > > additional commands, e-mail: users-help@qpid.apache.org
> > >
> > >
> > Visit our website at http://www.ubs.com
> >
> > This message contains confidential information and is intended only
> > for the individual named.  If you are not the named addressee you
> > should not disseminate, distribute or copy this e-mail.  Please notify
>
> > the sender immediately by e-mail if you have received this e-mail by
> > mistake and delete this e-mail from your system.
> >
> > E-mails are not encrypted and cannot be guaranteed to be secure or
> > error-free as information could be intercepted, corrupted, lost,
> > destroyed, arrive late or incomplete, or contain viruses.  The sender
> > therefore does not accept liability for any errors or omissions in the
>
> > contents of this message which arise as a result of e-mail
> transmission.
> > If verification is required please request a hard-copy version.  This
> > message is provided for informational purposes and should not be
> > construed as a solicitation or offer to buy or sell any securities or
> > related financial instruments.
> >
> >
> > UBS reserves the right to retain all messages. Messages are protected
> > and accessed only in legally justified cases.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > additional commands, e-mail: users-help@qpid.apache.org
> >
> >
> Visit our website at http://www.ubs.com
>
> This message contains confidential information and is intended only
> for the individual named.  If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail.  Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mails are not encrypted and cannot be guaranteed to be secure or
> error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses.  The sender
> therefore does not accept liability for any errors or omissions in the
> contents of this message which arise as a result of e-mail transmission.
> If verification is required please request a hard-copy version.  This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities
> or related financial instruments.
>
>
> UBS reserves the right to retain all messages. Messages are protected
> and accessed only in legally justified cases.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message