qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robbie Gemmell <robbie.gemm...@gmail.com>
Subject Re: How to encrypt ssl keystore password in config.xml
Date Tue, 11 Dec 2012 12:03:35 GMT
Hi David,

Just to add to add to Phils email..

The javax.net.ssl properties will only influence the SSL behaviour of the
JMX interface, and not the messaging ports. For the latter you have to
specify them in the file one way or another.

The 'VM Summary' tab in JConsole has displayed the values of the arguments
used to set the SSL system properties on the JVM on every JDK I have tried
it on (though I admit to not having tried on > 1.6.0_31). This applied both
using the JMXConnectorServer started by the broker, or to the platform
JMXConnectorServer you can prompt the JVM to start itelf by supplying the
com.sun.management.* system properties.

If you did want to set the password using the system property, you could
move the brokers MBeans out of the PlatformMBeanServer and into an
MBeanserver specific to the broker (by adding
<platform-mbeanserver>false</platform-mbeanserver> within the <management>
element) which would mean that the platform mbeans (used for the Threads,
Memory, VM Summary etc information) would not be available to people
connecting to the brokers JMXConnectorServer and they would then be unable
to view the arguments used to start the JVM. The oppposite is also true
however, the broekrs MBeans would not be visible to people viewing the
PlatformMBeanServer contents using e.g. a JConsole local 'attach'
connection to start the management agent in the process, or a remote
connection to a JMXConnectorServer started via the com.sun.management.*
properties).

A completely different suggestion might be to investigate encryption at the
file/filesystem level, although this is essentially just moving the problem
to being how to securely provide the password needed to decrypt that.

Robbie


On 11 December 2012 07:00, Phil Harvey <phil@philharveyonline.com> wrote:

> Hi David,
>
> You can't exactly encrypt it, but you can avoid hard coding it. You can
> refer to system properties in config.xml using the form ${mypassword}.
>
> Expose system properties to the broker before starting it like so:
>
> export QPID_OPTS='-Dmypassword=password1'
>
> I think the broker automatically picks up the value of system property
> javax.net.ssl.keyStorePassword but iirc this depends on the broker version
> and whether you're setting it for messaging connections or for management.
> I will check. By the way what is your brother version?
>
> A word of warning: anyone who can connect JConsole to the broker can
> inspect system properties (possibly excluding
> javax.net.ssl.keyStorePassword, but I'm not sure), so you should consider
> ways of controlling access. The online broker documentation describes how
> to apply authentication and authorisation to JMX access.
>
> Hope that helps,
> Phil
> On Dec 8, 2012 12:21 AM, <David.Hu@ubs.com> wrote:
>
> > **
> >
> > Hi, Guys,
> >
> > Is there a way to encrypt keystore password in ssl configuration in
> > config.xml?
> >
> > David
> >
> > *David Hu*
> > UBS, Group Technology Platform Service
> > 1-201-318-7435
> > ChatID: huda
> >
> >
> > Visit our website at http://www.ubs.com
> >
> > This message contains confidential information and is intended only
> > for the individual named.  If you are not the named addressee you
> > should not disseminate, distribute or copy this e-mail.  Please
> > notify the sender immediately by e-mail if you have received this
> > e-mail by mistake and delete this e-mail from your system.
> >
> > E-mails are not encrypted and cannot be guaranteed to be secure or
> > error-free as information could be intercepted, corrupted, lost,
> > destroyed, arrive late or incomplete, or contain viruses.  The sender
> > therefore does not accept liability for any errors or omissions in the
> > contents of this message which arise as a result of e-mail transmission.
> > If verification is required please request a hard-copy version.  This
> > message is provided for informational purposes and should not be
> > construed as a solicitation or offer to buy or sell any securities
> > or related financial instruments.
> >
> >
> > UBS reserves the right to retain all messages. Messages are protected
> > and accessed only in legally justified cases.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message