qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robbie Gemmell <robbie.gemm...@gmail.com>
Subject Re: How to encrypt ssl keystore password in config.xml
Date Tue, 11 Dec 2012 21:49:50 GMT
Also meant to add, when Phil pointed you at SSLTest he really meant you to
look at configuration of the clients for SSL via the standard SSL system
properties (as used in testCreateSSLConnectionUsingSystemProperties for
example), and not the ability to configure the clients SSL configuration
using the connection URL. Those properties being:

javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword

Robbie


On 11 December 2012 21:42, Robbie Gemmell <robbie.gemmell@gmail.com> wrote:

> Hi David,
>
> There seems to be a bit of confusion here.
>
> The brokers SSL configuration in relation to the messaging ports can only
> be controlled using the <connector><ssl> elements in config.xml. Phil was
> suggesting that you could use system properties (which will be resolved at
> broker startup) in the config file rather than placing the actual values in
> the config file. These system property could be the standard SSL system
> properties, or any other name of your own choosing. In this case anyone
> able to connect via JMX and view the contents of the JVMs 'Platform'
> MBeanServer (which is what gets used by default by the broker for its
> MBeans and by the JVM itself for all its standard MBeans, and then gets
> exposed via JMX either by the brokers JMXConnectorServer or the JVMs own if
> is enabled at startup or activated by 'locally' attaching JConsole etc as
> the user who started the process) would be able to view the arguments used
> to start the JVM since one of the standard MBeans exposes these (as used to
> populate the VM Summary tab in JConsole), and those would include the
> system properties. There is one way around that, as mentioned in my earlier
> email and further explained below [*].
>
> The ability to specify SSL options in the clients connection url (as
> opposed to via the client JVMs SSL system properties) only influences the
> clients SSL configuration, not the brokers. The keystore and truststore
> configuration for the server and client side are entirely independent. When
> the broker has an SSL certificate it needs a keystore, and the client needs
> a truststore containing trust information for that certificate (assuming it
> is not trusted at the JVM installation level). When the broker
> additionionally requires client certificates be presented then the client
> will also need a keystore to contain its certificate, and the broker will
> then need a truststore containing trust information relating to the client
> certificates (again assuming they are not already trusted at the JVM
> installation level).
>
> Robbie
>
> [*] You could move the brokers MBeans out of the Platform MBeanServer
> using the configuration I mentioned previously, which would prevent people
> from being able to see the argument information (along with all the Thread,
> Memory etc information) when connecting to the JMXConnectorServer started
> by the broker. People connecting to the JVMs own Platform
> JMXConnectorServer (which gets used when you have started in the JVM using
> the com.sun.management.* options and then do a 'remote' JConsole etc
> connection to the JMXConnectorServer, on that port, or perform a 'local'
> connection to a JVM with JConsole etc whereby a management agent is
> injected in the running JVM using the Attach API) would still be viewing
> the contents of the Platform MBeanServer and thus be able to view that
> argument information, but would not be able to view the brokers MBeans
> since they would now be in a separate MBeanServer. Unless you start the JVM
> the com.sun.management.* options to enable its platform JMXConnectorServer,
> the ability to access the Platform JMXConnectorServer would only apply to
> the user who started the broker, such that they can do a 'local' JMX
> connection with JConsole etc, and they obviously already had acess to the
> argument information anyway when starting the broker.
>
>
> On 11 December 2012 17:04, <David.Hu@ubs.com> wrote:
>
>> Hi, Phil,
>>
>> With another of the response, you seem have recommended two approaches
>> on doing this -
>>
>> 1. use system variable
>>     (1) use java option -D to pass the value in
>>     (2) export variable to pass in the value
>>
>> 2. Pass the keystore and password via connection URL (like your test
>> case). It means that that the one passed in via connection URL overrides
>> the one defined in config.xml, correct?
>>
>> For 1(1), the password will be exposed in Jconsole. For 1(2), the
>> password will be in starting script.
>>
>> The better approach is 2 where we can programatically construct the URL.
>> The password can be passed-in in encrypted format and can be decrypted
>> when constructing URL.
>>
>> Still it seems there is no out-of-box solution, we need to write our own
>> client (in the context of Synapse, we need to write our own JMSListener.
>> It goes back to my understanding before.
>>
>> Thanks for all the help.
>>
>> David
>>
>> -----Original Message-----
>> From: philharveyonline@googlemail.com
>> [mailto:philharveyonline@googlemail.com] On Behalf Of Phil Harvey
>> Sent: Tuesday, December 11, 2012 2:00 AM
>> To: users@qpid.apache.org
>> Subject: Re: How to encrypt ssl keystore password in config.xml
>>
>> Hi David,
>>
>> You can't exactly encrypt it, but you can avoid hard coding it. You can
>> refer to system properties in config.xml using the form ${mypassword}.
>>
>> Expose system properties to the broker before starting it like so:
>>
>> export QPID_OPTS='-Dmypassword=password1'
>>
>> I think the broker automatically picks up the value of system property
>> javax.net.ssl.keyStorePassword but iirc this depends on the broker
>> version and whether you're setting it for messaging connections or for
>> management.
>> I will check. By the way what is your brother version?
>>
>> A word of warning: anyone who can connect JConsole to the broker can
>> inspect system properties (possibly excluding
>> javax.net.ssl.keyStorePassword, but I'm not sure), so you should
>> consider ways of controlling access. The online broker documentation
>> describes how to apply authentication and authorisation to JMX access.
>>
>> Hope that helps,
>> Phil
>> On Dec 8, 2012 12:21 AM, <David.Hu@ubs.com> wrote:
>>
>> > **
>> >
>> > Hi, Guys,
>> >
>> > Is there a way to encrypt keystore password in ssl configuration in
>> > config.xml?
>> >
>> > David
>> >
>> > *David Hu*
>> > UBS, Group Technology Platform Service
>> > 1-201-318-7435
>> > ChatID: huda
>> >
>> >
>> > Visit our website at http://www.ubs.com
>> >
>> > This message contains confidential information and is intended only
>> > for the individual named.  If you are not the named addressee you
>> > should not disseminate, distribute or copy this e-mail.  Please notify
>>
>> > the sender immediately by e-mail if you have received this e-mail by
>> > mistake and delete this e-mail from your system.
>> >
>> > E-mails are not encrypted and cannot be guaranteed to be secure or
>> > error-free as information could be intercepted, corrupted, lost,
>> > destroyed, arrive late or incomplete, or contain viruses.  The sender
>> > therefore does not accept liability for any errors or omissions in the
>>
>> > contents of this message which arise as a result of e-mail
>> transmission.
>> > If verification is required please request a hard-copy version.  This
>> > message is provided for informational purposes and should not be
>> > construed as a solicitation or offer to buy or sell any securities or
>> > related financial instruments.
>> >
>> >
>> > UBS reserves the right to retain all messages. Messages are protected
>> > and accessed only in legally justified cases.
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
>> > additional commands, e-mail: users-help@qpid.apache.org
>> >
>> Visit our website at http://www.ubs.com
>>
>> This message contains confidential information and is intended only
>> for the individual named.  If you are not the named addressee you
>> should not disseminate, distribute or copy this e-mail.  Please
>> notify the sender immediately by e-mail if you have received this
>> e-mail by mistake and delete this e-mail from your system.
>>
>> E-mails are not encrypted and cannot be guaranteed to be secure or
>> error-free as information could be intercepted, corrupted, lost,
>> destroyed, arrive late or incomplete, or contain viruses.  The sender
>> therefore does not accept liability for any errors or omissions in the
>> contents of this message which arise as a result of e-mail transmission.
>> If verification is required please request a hard-copy version.  This
>> message is provided for informational purposes and should not be
>> construed as a solicitation or offer to buy or sell any securities
>> or related financial instruments.
>>
>>
>> UBS reserves the right to retain all messages. Messages are protected
>> and accessed only in legally justified cases.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>> For additional commands, e-mail: users-help@qpid.apache.org
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message