stackoom
  简体   繁体   中英

Installing a certificate in Glassfish v4 without storing password in config files

 原文  2017-08-22 14:13:28       keystore/ glassfish-4/ glassfish-4.1/ keystore-access

Question

I have a wildcard certificate I want to install in a Glassfish v4 server. After converting certificate format and importing it to java keystore (using commands already discussed in other topics) we have to configure file domain.xml to include a password for JKS. Something like: 

<jvm-options>-Djavax.net.ssl.keyStore=/myappdir/keystore.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStore=/myappdir/cacerts.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.keyAlias=myapp-cert</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStoreAlias=myapp-cert</jvm-options>
<jvm-options>-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=myapp-cert</jvm-options>

The problem here is that a password for JKS must be inserted into file domain.xml (see -Djavax.net.ssl.trustStorePassword=changeit ), which I think is not a good deal for security reasons.

Does anyone knows a better way of importing a certificate to glassfish v4 without storing the password into configuration files?

1 answers

solution1
 2 ACCPTED  2017-08-22 15:11:57

In general, you can avoid storing sensitive data in the domain.xml using an alias.

For example, assuming I have a DB password of "secretDBpassword" for a production database used for "myApp" I could do the following:

Create a password alias: 

asadmin> create-password-alias myApp-production-db
Please enter the alias password>   // enter secretDBpassword
Please enter the alias password again>  // enter secretDBpassword
Command create-password-alias executed successfully.

Set the value of the password property to: 

${ALIAS=myApp-production-db}

This doesn't have to be used for passwords. Any string can be stored as an alias.

In your case, however, we're talking about the password used for the keystore and truststore. This is the Master Password and can be set with an asadmin command: 

asadmin> change-master-password

Documentation for change-master-password

As you noted in your example, the default is changeit , which is well known, so it is a good idea to "change it"!

Using the master password in this way will avoid the need for specifying any password in JVM options or anywhere in the domain.xml.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Importing a Certificate into Glassfish and Changing the Master Password Storing and retrieving SecretKey without user password How to connect to MySQL from Java without storing password as plaintext Create a self signed certificate for localhost and import it in Glassfish Extract Certificate - Unknown password Import SSL certificate into Glassfish 4.x Change Master Password on Payara/Glassfish Server Storing user/password GIT permanent How to change server certificate of HTTPS listener under Glassfish 2.1.1? Storing an X.509 certificate in a Java keystore
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM