[jboss-dev-forums] [JBoss AS 7 Development] - how to avoid plain text keystore passwords in jboss-cli.xml?

Andreas Illg do-not-reply at jboss.com
Wed Jul 3 07:09:08 EDT 2013 

Andreas Illg [https://community.jboss.org/people/aillg] created the discussion

"how to avoid plain text keystore passwords in jboss-cli.xml?"

To view the discussion, visit: https://community.jboss.org/message/826132#826132

--------------------------------------------------------------
I am using the jboss-cli-client.jar on my jenkins machine to remotely deploy whatever jenkins has built.
The communication on port 9443 is ssl-encrypted and authenticated with self-signed certificates on both ends.
Standalone.xml provides the ${VAULT::...} mechanism to encrypt the passwords for the keystore and truststore.
On the client side this ssl configuration is stored in jboss-cli.xml but from looking at the schema
 https://github.com/wildfly/wildfly/blob/master/build/src/main/resources/docs/schema/jboss-as-cli_1_2.xsd https://github.com/wildfly/wildfly/blob/master/build/src/main/resources/docs/schema/jboss-as-cli_1_2.xsd
I don't see any similar mechanism to encrypt my keystore and truststore passwords.
(no <vault> element).

So how can I avoid plain text passwords in the jboss-cli.xml?

I tried to not specify <keyStorePassword> and <trustStorePassword> and use the system properties 
-Djavax.net.ssl.keyStorePassword=Gdesefwe and -Djavax.net.ssl.trustStorePassword=Tr3waqEq
described here
 http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization
but this only leads to a null pointer exception (not specifiying the tags) or an "invalid password" error (empty tags),
so they don't seem to be honored.

Even if they work I would have to specify them as shell environment variables since the command line arguments can be seen by anyone who is allowed to use ps.
I thought I can somehow hide the keystore/truststore passwords using the jenkins "Mask Passwords" plugin.
But how?
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/826132#826132]

Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2225]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20130703/23ce2caa/attachment.html

More information about the jboss-dev-forums mailing list