2 Replies Latest reply: Apr 22, 2014 7:06 AM by amckeown RSS

    Using JSSE and Encrypting JKS passwords


      I'm using the JSSE SSL implementation on WLS and custom trust and identity keystores. At the moment the setDomain.env has the JKS trust store password as plain text (see below snip), within the arguments as javax.net.ssl needs to be used. Normally you wouldn't need to express it within the setDomain.env under the certicom SSL implementation.

      Same old problem if someone is running a ps –aux they can see the password as its in plain text. 





      It’s mentioned in the above that you can mask off people ps –aux your process as well.





      . ${DOMAIN_HOME}/pepper-config/env/esb-mock-srvc-prop.sh

      . ${DOMAIN_HOME}/pepper-config/env/esb-env-properties.sh

      EXTRA_JAVA_PROPERTIES="-DUseSunHttpHandler=true -Xms1500m -Xmx1500m -Djava.util.logging.config.file=${DOMAIN_HOME}/pepper-config/properties/esb_jutill_logging.properties -Desb.log4j.service.config=${DOMAIN_HOME}/pepper-config/properties/esb-logging.xml -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStore=/apps_01/webapps/keystores/truststore/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.keyStore=/apps_data_01/security/keystores/42122-esb-apw-int/keystore/42122-esb-apw.jks -Djavax.net.ssl.keyStorePassword=${password} ${EXTRA_JAVA_PROPERTIES}"


      Is there method(s) of making it encrypted? Or do we need to make the application use a file?

        • 1. Re: Using JSSE and Encrypting JKS passwords

          Looking at a few blogs one way is it set it in the code itself rather than java args.



          • 2. Re: Using JSSE and Encrypting JKS passwords

            The only trouble with using the java code as setting the password is if it changes a code release would have to happen. There must a better way!


            I've heard if you can only password Arguments in plain text as well.


            However if u want ur client to use the trust n identity of WLS, u can select the Use Server Certs option from the console.
            U'll not have to pass the trust store parameter explicitly!


            Trouble is we are using client certs and MSSL.