3 Replies Latest reply on Nov 9, 2011 6:07 AM by EJP



      I'm developing a web service client that makes calls to a server using SSL.
      In passing the required system properties, two of them are passed unencrypted: javax.net.ssl.trustStorePassword and javax.net.ssl.keyStorePassword.
      Is there a way I can pass them encrypted to my client program?


      Edited by: 893511 on Oct 27, 2011 7:09 AM
        • 1. Re: trustStorePassword
          Since both are on the client why do you need them encrypted? Even if you did need to encrypt them, your client application would need to be able to decrypt them to use them so the key/password used to decrypt them would need to be available to the client to unencrypted them! You are then back to the same problem - what protects the keys/passwords that protects the SSL passwords?
          • 2. Re: trustStorePassword
            Unless you are doing mutual authentication, you don't really need to pass the passwords.
            • 3. Re: trustStorePassword
              If he needs a key store he needs a keystore password. You never need a truststore password unless you want it verified on opening. Passing the password to the client is contradictory. Nobody but the client should know it in the first place. It should be configured at the client.