Reputation: 96391
On Java SSL jvmArgs
Currently i include
jvmArg=-Djavax.net.ssl.keyStore=/cfg/secret
jvmArg=-Djavax.net.ssl.keyStorePassword=123456 a.b.c.Proxy
What would be the alternative notation where password is not stored in clear text?
Upvotes: 0
Views: 246
Answers (1)
Reputation: 122649
You would have to build an X509KeyManager manually and initialise it by loading a KeyStore programmatically. When loading the keystore, you call its load(...) method which will take a password (you could use a callback if necessary).
If you want your application to run unattended, you password will be obfuscated at best, not strongly encrypted (since your application will need to be able to decrypt it when required without a further password). It can be worth the effort, but not always (since an attacker may just be able to get that obfuscated version and de-obfuscate it easily).
(One of the problems with JVM args is that they may be visible in the process argument list, depending on your environment. Setting the system properties within your application when it starts might help in some cases.)
Upvotes: 2