qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robbie Gemmell <robbie.gemm...@gmail.com>
Subject Re: How to encrypt ssl keystore password in config.xml
Date Tue, 11 Dec 2012 21:59:17 GMT
The variable value can be passed in using -D system properties, but not as
an environment variable (Phils example set the -D system property
configuration by supplying it to the startup script via an environment
variable the startup script uses to enable such configuration).

Robbie

On 11 December 2012 21:47, <David.Hu@ubs.com> wrote:

> Hi, Robbie,
>
> Make sense.
>
> The ssl keystore/truststore/passwords in connection url is for client
> side only.
>
> But for broker, the configuration should go in config.xml where the
> variable can be used as per Phil and the value of the variables can be
> passed in using -D or via environment variable.
>
> Again, I will leave JMX out of the scope at this point.
>
> Thanks,
> David
>
> -----Original Message-----
> From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com]
> Sent: Tuesday, December 11, 2012 4:43 PM
> To: users@qpid.apache.org
> Subject: Re: How to encrypt ssl keystore password in config.xml
>
> Hi David,
>
> There seems to be a bit of confusion here.
>
> The brokers SSL configuration in relation to the messaging ports can
> only be controlled using the <connector><ssl> elements in config.xml.
> Phil was suggesting that you could use system properties (which will be
> resolved at broker startup) in the config file rather than placing the
> actual values in the config file. These system property could be the
> standard SSL system properties, or any other name of your own choosing.
> In this case anyone able to connect via JMX and view the contents of the
> JVMs 'Platform'
> MBeanServer (which is what gets used by default by the broker for its
> MBeans and by the JVM itself for all its standard MBeans, and then gets
> exposed via JMX either by the brokers JMXConnectorServer or the JVMs own
> if is enabled at startup or activated by 'locally' attaching JConsole
> etc as the user who started the process) would be able to view the
> arguments used to start the JVM since one of the standard MBeans exposes
> these (as used to populate the VM Summary tab in JConsole), and those
> would include the system properties. There is one way around that, as
> mentioned in my earlier email and further explained below [*].
>
> The ability to specify SSL options in the clients connection url (as
> opposed to via the client JVMs SSL system properties) only influences
> the clients SSL configuration, not the brokers. The keystore and
> truststore configuration for the server and client side are entirely
> independent. When the broker has an SSL certificate it needs a keystore,
> and the client needs a truststore containing trust information for that
> certificate (assuming it is not trusted at the JVM installation level).
> When the broker additionionally requires client certificates be
> presented then the client will also need a keystore to contain its
> certificate, and the broker will then need a truststore containing trust
> information relating to the client certificates (again assuming they are
> not already trusted at the JVM installation level).
>
> Robbie
>
> [*] You could move the brokers MBeans out of the Platform MBeanServer
> using the configuration I mentioned previously, which would prevent
> people from being able to see the argument information (along with all
> the Thread, Memory etc information) when connecting to the
> JMXConnectorServer started by the broker. People connecting to the JVMs
> own Platform JMXConnectorServer (which gets used when you have started
> in the JVM using the com.sun.management.* options and then do a 'remote'
> JConsole etc connection to the JMXConnectorServer, on that port, or
> perform a 'local'
> connection to a JVM with JConsole etc whereby a management agent is
> injected in the running JVM using the Attach API) would still be viewing
> the contents of the Platform MBeanServer and thus be able to view that
> argument information, but would not be able to view the brokers MBeans
> since they would now be in a separate MBeanServer. Unless you start the
> JVM the com.sun.management.* options to enable its platform
> JMXConnectorServer, the ability to access the Platform
> JMXConnectorServer would only apply to the user who started the broker,
> such that they can do a 'local' JMX connection with JConsole etc, and
> they obviously already had acess to the argument information anyway when
> starting the broker.
>
> On 11 December 2012 17:04, <David.Hu@ubs.com> wrote:
>
> > Hi, Phil,
> >
> > With another of the response, you seem have recommended two approaches
>
> > on doing this -
> >
> > 1. use system variable
> >     (1) use java option -D to pass the value in
> >     (2) export variable to pass in the value
> >
> > 2. Pass the keystore and password via connection URL (like your test
> > case). It means that that the one passed in via connection URL
> > overrides the one defined in config.xml, correct?
> >
> > For 1(1), the password will be exposed in Jconsole. For 1(2), the
> > password will be in starting script.
> >
> > The better approach is 2 where we can programatically construct the
> URL.
> > The password can be passed-in in encrypted format and can be decrypted
>
> > when constructing URL.
> >
> > Still it seems there is no out-of-box solution, we need to write our
> > own client (in the context of Synapse, we need to write our own
> JMSListener.
> > It goes back to my understanding before.
> >
> > Thanks for all the help.
> >
> > David
> >
> > -----Original Message-----
> > From: philharveyonline@googlemail.com
> > [mailto:philharveyonline@googlemail.com] On Behalf Of Phil Harvey
> > Sent: Tuesday, December 11, 2012 2:00 AM
> > To: users@qpid.apache.org
> > Subject: Re: How to encrypt ssl keystore password in config.xml
> >
> > Hi David,
> >
> > You can't exactly encrypt it, but you can avoid hard coding it. You
> > can refer to system properties in config.xml using the form
> ${mypassword}.
> >
> > Expose system properties to the broker before starting it like so:
> >
> > export QPID_OPTS='-Dmypassword=password1'
> >
> > I think the broker automatically picks up the value of system property
>
> > javax.net.ssl.keyStorePassword but iirc this depends on the broker
> > version and whether you're setting it for messaging connections or for
>
> > management.
> > I will check. By the way what is your brother version?
> >
> > A word of warning: anyone who can connect JConsole to the broker can
> > inspect system properties (possibly excluding
> > javax.net.ssl.keyStorePassword, but I'm not sure), so you should
> > consider ways of controlling access. The online broker documentation
> > describes how to apply authentication and authorisation to JMX access.
> >
> > Hope that helps,
> > Phil
> > On Dec 8, 2012 12:21 AM, <David.Hu@ubs.com> wrote:
> >
> > > **
> > >
> > > Hi, Guys,
> > >
> > > Is there a way to encrypt keystore password in ssl configuration in
> > > config.xml?
> > >
> > > David
> > >
> > > *David Hu*
> > > UBS, Group Technology Platform Service
> > > 1-201-318-7435
> > > ChatID: huda
> > >
> > >
> > > Visit our website at http://www.ubs.com
> > >
> > > This message contains confidential information and is intended only
> > > for the individual named.  If you are not the named addressee you
> > > should not disseminate, distribute or copy this e-mail.  Please
> > > notify
> >
> > > the sender immediately by e-mail if you have received this e-mail by
>
> > > mistake and delete this e-mail from your system.
> > >
> > > E-mails are not encrypted and cannot be guaranteed to be secure or
> > > error-free as information could be intercepted, corrupted, lost,
> > > destroyed, arrive late or incomplete, or contain viruses.  The
> > > sender therefore does not accept liability for any errors or
> > > omissions in the
> >
> > > contents of this message which arise as a result of e-mail
> > transmission.
> > > If verification is required please request a hard-copy version.
> > > This message is provided for informational purposes and should not
> > > be construed as a solicitation or offer to buy or sell any
> > > securities or related financial instruments.
> > >
> > >
> > > UBS reserves the right to retain all messages. Messages are
> > > protected and accessed only in legally justified cases.
> > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > > additional commands, e-mail: users-help@qpid.apache.org
> > >
> > Visit our website at http://www.ubs.com
> >
> > This message contains confidential information and is intended only
> > for the individual named.  If you are not the named addressee you
> > should not disseminate, distribute or copy this e-mail.  Please notify
>
> > the sender immediately by e-mail if you have received this e-mail by
> > mistake and delete this e-mail from your system.
> >
> > E-mails are not encrypted and cannot be guaranteed to be secure or
> > error-free as information could be intercepted, corrupted, lost,
> > destroyed, arrive late or incomplete, or contain viruses.  The sender
> > therefore does not accept liability for any errors or omissions in the
>
> > contents of this message which arise as a result of e-mail
> transmission.
> > If verification is required please request a hard-copy version.  This
> > message is provided for informational purposes and should not be
> > construed as a solicitation or offer to buy or sell any securities or
> > related financial instruments.
> >
> >
> > UBS reserves the right to retain all messages. Messages are protected
> > and accessed only in legally justified cases.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > additional commands, e-mail: users-help@qpid.apache.org
> >
> >
> Visit our website at http://www.ubs.com
>
> This message contains confidential information and is intended only
> for the individual named.  If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail.  Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mails are not encrypted and cannot be guaranteed to be secure or
> error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses.  The sender
> therefore does not accept liability for any errors or omissions in the
> contents of this message which arise as a result of e-mail transmission.
> If verification is required please request a hard-copy version.  This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities
> or related financial instruments.
>
>
> UBS reserves the right to retain all messages. Messages are protected
> and accessed only in legally justified cases.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message