hiding keystore password from process list

浪子不回头ぞ 提交于 2020-06-01 04:07:07

问题


I have a Linux server and a java application. I am using Java 1.7 to run this application. I want to enable JMX for monitoring purposes. The JMX connection should be secured by SSL. So far so easy.

My problem: How do I tell the jvm the keystore-password in a secure way? So far the ssl connection only works if I pass the password over the command line parameter "-Djavax.net.ssl.keyStorePassword=mypwd". It seems that the password must be set on initialising of the jvm.

If I am looking at the process list (ps -ef) on the console I can see my java process - but with all the command line parameters. So my keystore password is listed in plain text for everyone who can list the active processes (eg over a snmp agent). How can I hide the password from the process list?

I have tried to use a config file (com.sun.management.config.file). It works well for all jmx specific parameters. But my password is ignored.

Is providing the password in a command line parameter in plain text realy the only way?

Yes - I know that Java 1.7 ist out of service. If Java 1.8 actualy fixes this problem I will change immediatly.

Thanks for help!


回答1:


If you do System.setProperty("javax.net.ssl.keyStorePassword", "mypwd") before you use any of the SSL functionality in your program it should work. That means you should aim to set it as early after main has been called as you can. You can load your own properties file before if you like (readable only by the user running the JVM), where the password can be stored.


Update

System properties needed for management can also be set in a configuration file. From Monitoring and Management Using JMX Technology:

You can set out-of-the-box monitoring and management properties in a configuration file or on the command line. Properties specified on the command line override properties in a configuration file. The default location for the configuration file is JRE_HOME/lib/management/management.properties. The Java VM reads this file if either of the command-line properties com.sun.management.jmxremote or com.sun.management.jmxremote.port are set.

This documentation is for Java 1.8, but I guess the same applies to Java 1.7. If not, I guess you have to switch as you suggested.



来源:https://stackoverflow.com/questions/32011428/hiding-keystore-password-from-process-list

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!