[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rampart-dev
Subject:    Encrypting the keystore password crypto property
From:       "Andrew Fielden" <afielden () tibco ! com>
Date:       2007-02-22 11:03:49
Message-ID: 22D3B851859E2F4BAE7F4F086123C4E202DA923D () NA-PA-VBE02 ! na ! tibco ! com
[Download RAW message or body]

Hi,

I'm using Apache Rampart 1.1. 

I have a question about the crypto properties, specifically the keystore
password. It's stored as a plain text property -

org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.file=key.jks

Jetty has a facility to obfuscate a password property, and we've used
this to store the SSL keystore password in the jetty.xml config file -

<Set name="Keystore"> mykey.jks</Set>
<Set name="Password">OBF:xxxxxxxxxxxxx</Set> 

However I don't know if Rampart has a similar feature. We would
obviously prefer not to store a plain text password in a file.

I would appreciate any comments, or an indication of whether it's
supported or not.
If this isn't a supported feature, then I think it should be considered,
as this is a security flaw.

Thanks.
Andrew.

[prev in list] [next in list] [prev in thread] [next in thread]