Daniil Kirilyuk created QPID-8667: ------------------------------------- Summary: [Broker-J] Database connection with client certificate authentication exposes keystore / truststore passwords Key: QPID-8667 URL: https://issues.apache.org/jira/browse/QPID-8667 Project: Qpid Issue Type: Improvement Components: Broker-J Affects Versions: qpid-java-broker-9.1.0 Reporter: Daniil Kirilyuk Fix For: qpid-java-broker-9.1.1
JDBC allows to supply datasource parameters via JDBC connection string in form: jdbc:<vendor>://<hostname>:<port>/<database>?key1=value1&key2=value2&key3=value3 Relevant configuration for a virtualhost for PostgreSQL looks like following: {code:java} { "type" : "JDBC", "connectionPoolType" : "BONECP", "connectionUrl": "jdbc:postgresql://<hostname>:<port>/<database_name>?ssl=true&sslmode=verify-full&sslkey=<path_to_ssl_key_file>&sslpassword=<ssl_key_file_password>&sslrootcert=<path_to_root_certificate>", "username": "QPID", "password": null } {code} To make hide sensitive parameters like keystore / truststore passwords configuration should reference a keystore or truststore instead providing the RDBMS-specific parameter names: {code:java} { "name" : "default", "type" : "JDBC", "connectionPoolType" : "BONECP", "connectionUrl" : "jdbc:postgresql://<hostname>:<port>/<database_name>?ssl=true&sslmode=verify-full&sslrootcert=<path_to_root_certificate>", "keyStore" : "keystore-database", "keyStorePasswordPropertyName" : "sslpassword", "keyStorePathPropertyName" : "sslkey", "trustStore" : null, "trustStorePasswordPropertyName" : null, "trustStorePathPropertyName" : null, "username" : "QPID" }{code} Here keystore "keystore-database" is referenced, containing path to the keystore as well as its password (which is hidden). Path to the keystore should be injected into the JDBC connection string using the parameter "keyStorePathPropertyName", keystores password should be injected into JDBC connection string using the parameter "keyStorePasswordPropertyName". -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org