[prev in list] [next in list] [prev in thread] [next in thread]
List: rampart-dev
Subject: Encrypting the keystore password crypto property
From: "Andrew Fielden" <afielden () tibco ! com>
Date: 2007-02-22 11:03:49
Message-ID: 22D3B851859E2F4BAE7F4F086123C4E202DA923D () NA-PA-VBE02 ! na ! tibco ! com
[Download RAW message or body]
Hi,
I'm using Apache Rampart 1.1.
I have a question about the crypto properties, specifically the keystore
password. It's stored as a plain text property -
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.file=key.jks
Jetty has a facility to obfuscate a password property, and we've used
this to store the SSL keystore password in the jetty.xml config file -
<Set name="Keystore"> mykey.jks</Set>
<Set name="Password">OBF:xxxxxxxxxxxxx</Set>
However I don't know if Rampart has a similar feature. We would
obviously prefer not to store a plain text password in a file.
I would appreciate any comments, or an indication of whether it's
supported or not.
If this isn't a supported feature, then I think it should be considered,
as this is a security flaw.
Thanks.
Andrew.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic