Daniil Kirilyuk created QPID-8667:
-------------------------------------

             Summary: [Broker-J] Database connection with client certificate 
authentication exposes keystore / truststore passwords
                 Key: QPID-8667
                 URL: https://issues.apache.org/jira/browse/QPID-8667
             Project: Qpid
          Issue Type: Improvement
          Components: Broker-J
    Affects Versions: qpid-java-broker-9.1.0
            Reporter: Daniil Kirilyuk
             Fix For: qpid-java-broker-9.1.1


JDBC allows to supply datasource parameters via JDBC connection string in form: 
jdbc:<vendor>://<hostname>:<port>/<database>?key1=value1&key2=value2&key3=value3

Relevant configuration for a virtualhost for PostgreSQL looks like following:
{code:java}
{
  "type" : "JDBC",
  "connectionPoolType" : "BONECP",
  "connectionUrl": 
"jdbc:postgresql://<hostname>:<port>/<database_name>?ssl=true&sslmode=verify-full&sslkey=<path_to_ssl_key_file>&sslpassword=<ssl_key_file_password>&sslrootcert=<path_to_root_certificate>",
  "username": "QPID",
  "password": null
} {code}
To make hide sensitive parameters like keystore / truststore passwords 
configuration should reference a keystore or truststore instead providing the 
RDBMS-specific parameter names:
{code:java}
{
  "name" : "default",
  "type" : "JDBC",
  "connectionPoolType" : "BONECP",
  "connectionUrl" : 
"jdbc:postgresql://<hostname>:<port>/<database_name>?ssl=true&sslmode=verify-full&sslrootcert=<path_to_root_certificate>",
  "keyStore" : "keystore-database",
  "keyStorePasswordPropertyName" : "sslpassword",
  "keyStorePathPropertyName" : "sslkey",
  "trustStore" : null,
  "trustStorePasswordPropertyName" : null,
  "trustStorePathPropertyName" : null,
  "username" : "QPID"
}{code}
Here keystore "keystore-database" is referenced, containing path to the 
keystore as well as its password (which is hidden). Path to the keystore should 
be injected into the JDBC connection string using the parameter 
"keyStorePathPropertyName", keystores password should be injected into JDBC 
connection string using the parameter "keyStorePasswordPropertyName".



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to