问题
I have a Linux server and a java application. I am using Java 1.7 to run this application. I want to enable JMX for monitoring purposes. The JMX connection should be secured by SSL. So far so easy.
My problem: How do I tell the jvm the keystore-password in a secure way? So far the ssl connection only works if I pass the password over the command line parameter "-Djavax.net.ssl.keyStorePassword=mypwd". It seems that the password must be set on initialising of the jvm.
If I am looking at the process list (ps -ef) on the console I can see my java process - but with all the command line parameters. So my keystore password is listed in plain text for everyone who can list the active processes (eg over a snmp agent). How can I hide the password from the process list?
I have tried to use a config file (com.sun.management.config.file). It works well for all jmx specific parameters. But my password is ignored.
Is providing the password in a command line parameter in plain text realy the only way?
Yes - I know that Java 1.7 ist out of service. If Java 1.8 actualy fixes this problem I will change immediatly.
Thanks for help!
回答1:
If you do System.setProperty("javax.net.ssl.keyStorePassword", "mypwd") before you use any of the SSL functionality in your program it should work. That means you should aim to set it as early after main has been called as you can. You can load your own properties file before if you like (readable only by the user running the JVM), where the password can be stored.
Update
System properties needed for management can also be set in a configuration file. From Monitoring and Management Using JMX Technology:
You can set out-of-the-box monitoring and management properties in a configuration file or on the command line. Properties specified on the command line override properties in a configuration file. The default location for the configuration file is JRE_HOME
/lib/management/management.properties. The Java VM reads this file if either of the command-line propertiescom.sun.management.jmxremoteorcom.sun.management.jmxremote.portare set.
This documentation is for Java 1.8, but I guess the same applies to Java 1.7. If not, I guess you have to switch as you suggested.
来源:https://stackoverflow.com/questions/32011428/hiding-keystore-password-from-process-list