3

I've setup my jboss app-server to use SSL. The relevant extract from my config is below. Everything is working ok, however some people have expressed concern over the keystorePass attribute being in plain text. Is there any way to obfuscate / encrypt this value?

I'm using JBoss 4.2.2.GA (on Red Hat Enterprise Edition, if that makes any difference)

<Connector port="8080" 
    protocol="HTTP/1.1" 
    SSLEnabled="true"
    maxThreads="150" 
    scheme="https" 
    secure="true"
    clientAuth="false" 
    sslProtocol="TLS"
    keystoreFile="/somewhere/some.keystore"
    keystorePass="somePassword"
    keyAlias="tomcat"/>

Edit, To get away from the security by obscurity approach, an alternative to obfuscating this would be to not supply it at all and have tomcat prompt for the p/w on startup. However as far as I know this isn't supported. Can anyone confirm or deny this?

Glen
  • 133
  • 5
  • While it goes w/o saying, I'm going to say it anyway: Obfuscation / encoding of passwords provides no real security. At best, it's security-by-obscurity which is worse than no security, since it often gives a false sense of security. – Evan Anderson Feb 17 '10 at 17:32
  • @Evan Anderson, I agree, however some people get nervous at seeing passwords like that. I've edited my question to outline a different approach, which I think is more secure, but as far as I know isn't supported. – Glen Feb 17 '10 at 17:50

1 Answers1

1

It is possible according to this wiki entry by Anil Saldhana, Lead JBoss Security Architect for JBoss:

http://community.jboss.org/wiki/EncryptKeystorePasswordInTomcatConnector

I have not personally implemented this, but I would imagine Anil knows the subject pretty well.

micah
  • 974
  • 6
  • 11
  • Cool! There is also another wiki topic that explains how to do this for data source passwords: http://community.jboss.org/wiki/encryptingdatasourcepasswords – Matt Solnit Feb 17 '10 at 18:04