Ssl – obfuscating keystore password in JBoss 4.2.2 GA

application-serverconfigurationjbossssltomcat

I've setup my jboss app-server to use SSL. The relevant extract from my config is below. Everything is working ok, however some people have expressed concern over the keystorePass attribute being in plain text. Is there any way to obfuscate / encrypt this value?

I'm using JBoss 4.2.2.GA (on Red Hat Enterprise Edition, if that makes any difference)

<Connector port="8080" 
    protocol="HTTP/1.1" 
    SSLEnabled="true"
    maxThreads="150" 
    scheme="https" 
    secure="true"
    clientAuth="false" 
    sslProtocol="TLS"
    keystoreFile="/somewhere/some.keystore"
    keystorePass="somePassword"
    keyAlias="tomcat"/>

Edit, To get away from the security by obscurity approach, an alternative to obfuscating this would be to not supply it at all and have tomcat prompt for the p/w on startup. However as far as I know this isn't supported. Can anyone confirm or deny this?

Best Answer

It is possible according to this wiki entry by Anil Saldhana, Lead JBoss Security Architect for JBoss:

http://community.jboss.org/wiki/EncryptKeystorePasswordInTomcatConnector

I have not personally implemented this, but I would imagine Anil knows the subject pretty well.

Related Solutions

JBOSS App Server vs. Glassfish

We have studied relative performance of JBoss vs. Glassfish, and found that Glassfish scales much better under high loads.

JBoss 5.1.0.GA – How to Setup Multiple Instances

I got it working on my own. The answer were these commands:

.\run.bat -Djboss.service.binding.set=ports-01 -c ports-01

.\run.bat -Djboss.service.binding.set=ports-02 -c ports-02

Also, I had to copy the server/default to 2 new directories called server/ports-01 and server/ports-02 ...

Then , in the server\ports-01\conf\bindingservice.beans\META-INF I had to remove references to instances ports-02, ports-03, and "default" from it.

Then , in the server\ports-02\conf\bindingservice.beans\META-INF I had to remove references to instances ports-01, ports-03, and "default" from it.

Then, finally, I deleted the "standard", "web", and "default" directories from the default installation in the server directory.

Then, I ran both servers with the commands above, and out-of-the-box, they work.

Also, here is a batch file to run clustered instead of separate instances:

@echo off

start .\bin\run.bat -c ports-01 -g MyLocal -u 239.255.100.100 -b 127.0.0.1 -Djboss.messaging.ServerPeerID=1 -Djboss.service.binding.set=ports-01

@echo Wait until first server finishes starting and then hit 
@echo any key to start the second server in the cluster...
pause

start .\bin\run.bat -c ports-02 -g MyLocal -u 239.255.100.100 -b 127.0.0.1 -Djboss.messaging.ServerPeerID=2 -Djboss.service.binding.set=ports-02

Best Answer

Related Solutions

JBOSS App Server vs. Glassfish

JBoss 5.1.0.GA – How to Setup Multiple Instances

Related Topic