Torben Jaeger [https://community.jboss.org/people/jicken] created the discussion "mod_cluster SSL setup/implementation (JBoss AS --> httpd)" To view the discussion, visit: https://community.jboss.org/message/804615#804615 -------------------------------------------------------------- Hi, I have little problems with how the password attribute of the ssl element in the JBoss AS7 modcluster subsystem is used. Let's say we already have a truststore defined using system properties: <system-properties> <property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/certs/myCA.jks"/> <property name="javax.net.ssl.trustStorePassword" value="mypasswd"/> </system-properties> In addition I have different keystores for the client certificates with different passwords. If the password is used in the subsystem config, ModClusterSubsystemAdd.java (as shown below) will overwrite my settings which will lead to exceptions b/c my truststore cannot be read anymore. if (password.isDefined()) { config.setSslTrustStorePassword(password.asString()); config.setSslKeyStorePassword(password.asString()); } This fact gives me two options: 1. I will set a password in the ssl element This means I have to duplicate my already existing CA truststore and use the same password I am using for my client certificate keystore. 2. I do not set a password. My truststore can be read w/o modification, BUT my keystore has to use the default "changeit" password which needs considering due to security implications. This is in ModClusterConfig.java private String sslKeyStorePassword = "changeit"; What I'd like to discuss is: 1. Guard the truststore password set in ModClusterSubsystemAdd.java if (System.getProperty("javax.net.ssl.trustStorePassword") == null) {      config.setSslTrustStorePassword(password.asString()); } 2. use the javax.net.ssl.keyStore* system properties like it's done for the javax.net.ssl.trustStore* ones private String sslKeyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword"); What do you think? Thx, Torben -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/804615#804615] Start a new discussion in Clustering Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&...]