Mailing-List: contact users-help@qpid.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@qpid.apache.org
Received-SPF: pass (nike.apache.org: domain of David.Hu@ubs.com designates
 148.112.145.8 as permitted sender)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: How to encrypt ssl keystore password in config.xml
Date: Tue, 11 Dec 2012 17:02:03 -0500
Message-ID: <7AB845BCA354EE479566BD07691DEF6206DDCCD0@NSTMC034PEX1.ubsw.net>
In-Reply-To: 
 <CAFitrpT8Y8QRnmQZSPfawecm1c+FVJzSouVKVUOBahrXNCuGsA@mail.gmail.com>
Thread-Topic: How to encrypt ssl keystore password in config.xml
Thread-Index: Ac3X6tYuInNzinmGSi6tAhCelfJilQAADbRA
References: 
 <7AB845BCA354EE479566BD07691DEF6206CFD2E2@NSTMC034PEX1.ubsw.net><CAG44Fj3fD6qzBfimA3LWduYGOiseAPZHbGJiXb+AhgK6tf+irw@mail.gmail.com><7AB845BCA354EE479566BD07691DEF6206DDCAE3@NSTMC034PEX1.ubsw.net><CAFitrpS1SAxWmr1e5D+XAc8Yzynwo1icRnRHu2aBSjNbeGC=Mw@mail.gmail.com><7AB845BCA354EE479566BD07691DEF6206DDCCB1@NSTMC034PEX1.ubsw.net>
 <CAFitrpT8Y8QRnmQZSPfawecm1c+FVJzSouVKVUOBahrXNCuGsA@mail.gmail.com>
From: <David.Hu@ubs.com>
To: <users@qpid.apache.org>

Ok, Robbie,=20

Got it. Back to encrypt keystore password in <connection><ssl> section
in config.xml, I guess it is not supported?=20

David=20

-----Original Message-----
From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com]=20
Sent: Tuesday, December 11, 2012 4:59 PM
To: users@qpid.apache.org
Subject: Re: How to encrypt ssl keystore password in config.xml

The variable value can be passed in using -D system properties, but not
as an environment variable (Phils example set the -D system property
configuration by supplying it to the startup script via an environment
variable the startup script uses to enable such configuration).

Robbie

On 11 December 2012 21:47, <David.Hu@ubs.com> wrote:

> Hi, Robbie,
>
> Make sense.
>
> The ssl keystore/truststore/passwords in connection url is for client=20
> side only.
>
> But for broker, the configuration should go in config.xml where the=20
> variable can be used as per Phil and the value of the variables can be

> passed in using -D or via environment variable.
>
> Again, I will leave JMX out of the scope at this point.
>
> Thanks,
> David
>
> -----Original Message-----
> From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com]
> Sent: Tuesday, December 11, 2012 4:43 PM
> To: users@qpid.apache.org
> Subject: Re: How to encrypt ssl keystore password in config.xml
>
> Hi David,
>
> There seems to be a bit of confusion here.
>
> The brokers SSL configuration in relation to the messaging ports can=20
> only be controlled using the <connector><ssl> elements in config.xml.
> Phil was suggesting that you could use system properties (which will=20
> be resolved at broker startup) in the config file rather than placing=20
> the actual values in the config file. These system property could be=20
> the standard SSL system properties, or any other name of your own
choosing.
> In this case anyone able to connect via JMX and view the contents of=20
> the JVMs 'Platform'
> MBeanServer (which is what gets used by default by the broker for its=20
> MBeans and by the JVM itself for all its standard MBeans, and then=20
> gets exposed via JMX either by the brokers JMXConnectorServer or the=20
> JVMs own if is enabled at startup or activated by 'locally' attaching=20
> JConsole etc as the user who started the process) would be able to=20
> view the arguments used to start the JVM since one of the standard=20
> MBeans exposes these (as used to populate the VM Summary tab in=20
> JConsole), and those would include the system properties. There is one

> way around that, as mentioned in my earlier email and further
explained below [*].
>
> The ability to specify SSL options in the clients connection url (as=20
> opposed to via the client JVMs SSL system properties) only influences=20
> the clients SSL configuration, not the brokers. The keystore and=20
> truststore configuration for the server and client side are entirely=20
> independent. When the broker has an SSL certificate it needs a=20
> keystore, and the client needs a truststore containing trust=20
> information for that certificate (assuming it is not trusted at the
JVM installation level).
> When the broker additionionally requires client certificates be=20
> presented then the client will also need a keystore to contain its=20
> certificate, and the broker will then need a truststore containing=20
> trust information relating to the client certificates (again assuming=20
> they are not already trusted at the JVM installation level).
>
> Robbie
>
> [*] You could move the brokers MBeans out of the Platform MBeanServer=20
> using the configuration I mentioned previously, which would prevent=20
> people from being able to see the argument information (along with all

> the Thread, Memory etc information) when connecting to the=20
> JMXConnectorServer started by the broker. People connecting to the=20
> JVMs own Platform JMXConnectorServer (which gets used when you have=20
> started in the JVM using the com.sun.management.* options and then do
a 'remote'
> JConsole etc connection to the JMXConnectorServer, on that port, or=20
> perform a 'local'
> connection to a JVM with JConsole etc whereby a management agent is=20
> injected in the running JVM using the Attach API) would still be=20
> viewing the contents of the Platform MBeanServer and thus be able to=20
> view that argument information, but would not be able to view the=20
> brokers MBeans since they would now be in a separate MBeanServer.=20
> Unless you start the JVM the com.sun.management.* options to enable=20
> its platform JMXConnectorServer, the ability to access the Platform=20
> JMXConnectorServer would only apply to the user who started the=20
> broker, such that they can do a 'local' JMX connection with JConsole=20
> etc, and they obviously already had acess to the argument information=20
> anyway when starting the broker.
>
> On 11 December 2012 17:04, <David.Hu@ubs.com> wrote:
>
> > Hi, Phil,
> >
> > With another of the response, you seem have recommended two=20
> > approaches
>
> > on doing this -
> >
> > 1. use system variable
> >     (1) use java option -D to pass the value in
> >     (2) export variable to pass in the value
> >
> > 2. Pass the keystore and password via connection URL (like your test

> > case). It means that that the one passed in via connection URL=20
> > overrides the one defined in config.xml, correct?
> >
> > For 1(1), the password will be exposed in Jconsole. For 1(2), the=20
> > password will be in starting script.
> >
> > The better approach is 2 where we can programatically construct the
> URL.
> > The password can be passed-in in encrypted format and can be=20
> > decrypted
>
> > when constructing URL.
> >
> > Still it seems there is no out-of-box solution, we need to write our

> > own client (in the context of Synapse, we need to write our own
> JMSListener.
> > It goes back to my understanding before.
> >
> > Thanks for all the help.
> >
> > David
> >
> > -----Original Message-----
> > From: philharveyonline@googlemail.com=20
> > [mailto:philharveyonline@googlemail.com] On Behalf Of Phil Harvey
> > Sent: Tuesday, December 11, 2012 2:00 AM
> > To: users@qpid.apache.org
> > Subject: Re: How to encrypt ssl keystore password in config.xml
> >
> > Hi David,
> >
> > You can't exactly encrypt it, but you can avoid hard coding it. You=20
> > can refer to system properties in config.xml using the form
> ${mypassword}.
> >
> > Expose system properties to the broker before starting it like so:
> >
> > export QPID_OPTS=3D'-Dmypassword=3Dpassword1'
> >
> > I think the broker automatically picks up the value of system=20
> > property
>
> > javax.net.ssl.keyStorePassword but iirc this depends on the broker=20
> > version and whether you're setting it for messaging connections or=20
> > for
>
> > management.
> > I will check. By the way what is your brother version?
> >
> > A word of warning: anyone who can connect JConsole to the broker can

> > inspect system properties (possibly excluding=20
> > javax.net.ssl.keyStorePassword, but I'm not sure), so you should=20
> > consider ways of controlling access. The online broker documentation

> > describes how to apply authentication and authorisation to JMX
access.
> >
> > Hope that helps,
> > Phil
> > On Dec 8, 2012 12:21 AM, <David.Hu@ubs.com> wrote:
> >
> > > **
> > >
> > > Hi, Guys,
> > >
> > > Is there a way to encrypt keystore password in ssl configuration=20
> > > in config.xml?
> > >
> > > David
> > >
> > > *David Hu*
> > > UBS, Group Technology Platform Service
> > > 1-201-318-7435
> > > ChatID: huda
> > >
> > >
> > > Visit our website at http://www.ubs.com
> > >
> > > This message contains confidential information and is intended=20
> > > only for the individual named.  If you are not the named addressee

> > > you should not disseminate, distribute or copy this e-mail. =20
> > > Please notify
> >
> > > the sender immediately by e-mail if you have received this e-mail=20
> > > by
>
> > > mistake and delete this e-mail from your system.
> > >
> > > E-mails are not encrypted and cannot be guaranteed to be secure or

> > > error-free as information could be intercepted, corrupted, lost,=20
> > > destroyed, arrive late or incomplete, or contain viruses.  The=20
> > > sender therefore does not accept liability for any errors or=20
> > > omissions in the
> >
> > > contents of this message which arise as a result of e-mail
> > transmission.
> > > If verification is required please request a hard-copy version.
> > > This message is provided for informational purposes and should not

> > > be construed as a solicitation or offer to buy or sell any=20
> > > securities or related financial instruments.
> > >
> > >
> > > UBS reserves the right to retain all messages. Messages are=20
> > > protected and accessed only in legally justified cases.
> > >
> > >
> > > ------------------------------------------------------------------
> > > --
> > > - To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For=20
> > > additional commands, e-mail: users-help@qpid.apache.org
> > >
> > Visit our website at http://www.ubs.com
> >
> > This message contains confidential information and is intended only=20
> > for the individual named.  If you are not the named addressee you=20
> > should not disseminate, distribute or copy this e-mail.  Please=20
> > notify
>
> > the sender immediately by e-mail if you have received this e-mail by

> > mistake and delete this e-mail from your system.
> >
> > E-mails are not encrypted and cannot be guaranteed to be secure or=20
> > error-free as information could be intercepted, corrupted, lost,=20
> > destroyed, arrive late or incomplete, or contain viruses.  The=20
> > sender therefore does not accept liability for any errors or=20
> > omissions in the
>
> > contents of this message which arise as a result of e-mail
> transmission.
> > If verification is required please request a hard-copy version. =20
> > This message is provided for informational purposes and should not=20
> > be construed as a solicitation or offer to buy or sell any=20
> > securities or related financial instruments.
> >
> >
> > UBS reserves the right to retain all messages. Messages are=20
> > protected and accessed only in legally justified cases.
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For=20
> > additional commands, e-mail: users-help@qpid.apache.org
> >
> >
> Visit our website at http://www.ubs.com
>
> This message contains confidential information and is intended only=20
> for the individual named.  If you are not the named addressee you=20
> should not disseminate, distribute or copy this e-mail.  Please notify

> the sender immediately by e-mail if you have received this e-mail by=20
> mistake and delete this e-mail from your system.
>
> E-mails are not encrypted and cannot be guaranteed to be secure or=20
> error-free as information could be intercepted, corrupted, lost,=20
> destroyed, arrive late or incomplete, or contain viruses.  The sender=20
> therefore does not accept liability for any errors or omissions in the

> contents of this message which arise as a result of e-mail
transmission.
> If verification is required please request a hard-copy version.  This=20
> message is provided for informational purposes and should not be=20
> construed as a solicitation or offer to buy or sell any securities or=20
> related financial instruments.
>
>
> UBS reserves the right to retain all messages. Messages are protected=20
> and accessed only in legally justified cases.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For=20
> additional commands, e-mail: users-help@qpid.apache.org
>
>
Visit our website at http://www.ubs.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.
	
E-mails are not encrypted and cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses.  The sender 
therefore does not accept liability for any errors or omissions in the 
contents of this message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities 
or related financial instruments.

 
UBS reserves the right to retain all messages. Messages are protected
and accessed only in legally justified cases.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org