Hi, Phil,
With another of the response, you seem have recommended two approaches
on doing this -
1. use system variable
(1) use java option -D to pass the value in
(2) export variable to pass in the value
2. Pass the keystore and password via connection URL (like your test
case). It means that that the one passed in via connection URL overrides
the one defined in config.xml, correct?
For 1(1), the password will be exposed in Jconsole. For 1(2), the
password will be in starting script.
The better approach is 2 where we can programatically construct the URL.
The password can be passed-in in encrypted format and can be decrypted
when constructing URL.
Still it seems there is no out-of-box solution, we need to write our own
client (in the context of Synapse, we need to write our own JMSListener.
It goes back to my understanding before.
Thanks for all the help.
David
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Phil Harvey
Sent: Tuesday, December 11, 2012 2:00 AM
To: [email protected]
Subject: Re: How to encrypt ssl keystore password in config.xml
Hi David,
You can't exactly encrypt it, but you can avoid hard coding it. You can
refer to system properties in config.xml using the form ${mypassword}.
Expose system properties to the broker before starting it like so:
export QPID_OPTS='-Dmypassword=password1'
I think the broker automatically picks up the value of system property
javax.net.ssl.keyStorePassword but iirc this depends on the broker
version and whether you're setting it for messaging connections or for
management.
I will check. By the way what is your brother version?
A word of warning: anyone who can connect JConsole to the broker can
inspect system properties (possibly excluding
javax.net.ssl.keyStorePassword, but I'm not sure), so you should
consider ways of controlling access. The online broker documentation
describes how to apply authentication and authorisation to JMX access.
Hope that helps,
Phil
On Dec 8, 2012 12:21 AM, <[email protected]> wrote:
> **
>
> Hi, Guys,
>
> Is there a way to encrypt keystore password in ssl configuration in
> config.xml?
>
> David
>
> *David Hu*
> UBS, Group Technology Platform Service
> 1-201-318-7435
> ChatID: huda
>
>
> Visit our website at http://www.ubs.com
>
> This message contains confidential information and is intended only
> for the individual named. If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail. Please notify
> the sender immediately by e-mail if you have received this e-mail by
> mistake and delete this e-mail from your system.
>
> E-mails are not encrypted and cannot be guaranteed to be secure or
> error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses. The sender
> therefore does not accept liability for any errors or omissions in the
> contents of this message which arise as a result of e-mail
transmission.
> If verification is required please request a hard-copy version. This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
>
>
> UBS reserves the right to retain all messages. Messages are protected
> and accessed only in legally justified cases.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected] For
> additional commands, e-mail: [email protected]
>
Visit our website at http://www.ubs.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mails are not encrypted and cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities
or related financial instruments.
UBS reserves the right to retain all messages. Messages are protected
and accessed only in legally justified cases.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
