NettyConnector explicitly initializes SSLContext instead of using default

[mevans7 <ma...@morpho.com>]

BOTTOM LINE: 
I need a secure way to initialize the SSLContext in
org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnector.  (No
keystore password in system properties.) 

USE CASE: 
I'm trying to configure a client to read JMS messages from Wildfly using
SSL.  This works ONLY if I specify these either with -D or
System.setProperty(): 

-Djavax.net.ssl.keyStore=<my-keystore-file-path>
-Djavax.net.ssl.keyStorePassword=<my-key-pass>
-Djavax.net.ssl.trustStore=<my-truststore-file-path>
-Djavax.net.ssl.trustStorePassword=<my-trust-pass>

My problem is this: for security purposes, I cannot put the password in the
System properties.  (These are too easy to dump out using various tools.) 

So, I programatically initialize the default SSLContext.  BUT,
NettyConnector does not use the default SSLContext.  It explicitly reads the
above properties and creates its own SSLContext. 

QUESTION: 
- How can I securely pass the truststore and keystore passwords to
NettyConnector? 
- Why doesn't NettyConnector just use the default SSLContext, which can be
configured with the same system parameters as above? 



--
View this message in context: http://activemq.2283324.n4.nabble.com/NettyConnector-explicitly-initializes-SSLContext-instead-of-using-default-tp4727120.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: NettyConnector explicitly initializes SSLContext instead of using default

[mevans7 <ma...@morpho.com>]

Thanks Justin.  This confirms my findings.

Regarding passwords residing on the machine, we have requirements that no
passwords be available in system properties (where tools like JConsole have
easy access).  The ARETEMIS-590 issue covers it exactly.

Regards,
Mark



--
View this message in context: http://activemq.2283324.n4.nabble.com/NettyConnector-explicitly-initializes-SSLContext-instead-of-using-default-tp4727120p4728151.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: NettyConnector explicitly initializes SSLContext instead of using default

[Justin Bertram <jb...@redhat.com>]

I just noticed that you said you were attempting to connect to Artemis in Wildfly, and I believe that's going to be a 1.5.x version (or perhaps earlier) without this new feature.

FWIW whether you set the values in system properties on the command line or programmatically or whether you configure the default SSL context the keystore and truststore passwords are going to reside on the machine in plain text.  I'm not sure there's any way to get around that.


Justin

----- Original Message -----
From: "Justin Bertram" <jb...@apache.org>
To: users@activemq.apache.org
Sent: Tuesday, June 6, 2017 3:35:11 PM
Subject: Re: NettyConnector explicitly initializes SSLContext instead of using default

What version are you using?  There is an option in 2.1 to use the default SSL context.  See https://issues.apache.org/jira/browse/ARTEMIS-590.


Justin

----- Original Message -----
From: "mevans7" <ma...@morpho.com>
To: users@activemq.apache.org
Sent: Tuesday, June 6, 2017 3:17:43 PM
Subject: NettyConnector explicitly initializes SSLContext instead of using default

BOTTOM LINE: 
I need a secure way to initialize the SSLContext in
org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnector.  (No
keystore password in system properties.) 

USE CASE: 
I'm trying to configure a client to read JMS messages from Wildfly using
SSL.  This works ONLY if I specify these either with -D or
System.setProperty(): 

-Djavax.net.ssl.keyStore=<my-keystore-file-path>
-Djavax.net.ssl.keyStorePassword=<my-key-pass>
-Djavax.net.ssl.trustStore=<my-truststore-file-path>
-Djavax.net.ssl.trustStorePassword=<my-trust-pass>

My problem is this: for security purposes, I cannot put the password in the
System properties.  (These are too easy to dump out using various tools.) 

So, I programatically initialize the default SSLContext.  BUT,
NettyConnector does not use the default SSLContext.  It explicitly reads the
above properties and creates its own SSLContext. 

QUESTION: 
- How can I securely pass the truststore and keystore passwords to
NettyConnector? 
- Why doesn't NettyConnector just use the default SSLContext, which can be
configured with the same system parameters as above? 



--
View this message in context: http://activemq.2283324.n4.nabble.com/NettyConnector-explicitly-initializes-SSLContext-instead-of-using-default-tp4727120.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: NettyConnector explicitly initializes SSLContext instead of using default

[Justin Bertram <jb...@apache.org>]

What version are you using?  There is an option in 2.1 to use the default SSL context.  See https://issues.apache.org/jira/browse/ARTEMIS-590.


Justin

----- Original Message -----
From: "mevans7" <ma...@morpho.com>
To: users@activemq.apache.org
Sent: Tuesday, June 6, 2017 3:17:43 PM
Subject: NettyConnector explicitly initializes SSLContext instead of using default

BOTTOM LINE: 
I need a secure way to initialize the SSLContext in
org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnector.  (No
keystore password in system properties.) 

USE CASE: 
I'm trying to configure a client to read JMS messages from Wildfly using
SSL.  This works ONLY if I specify these either with -D or
System.setProperty(): 

-Djavax.net.ssl.keyStore=<my-keystore-file-path>
-Djavax.net.ssl.keyStorePassword=<my-key-pass>
-Djavax.net.ssl.trustStore=<my-truststore-file-path>
-Djavax.net.ssl.trustStorePassword=<my-trust-pass>

My problem is this: for security purposes, I cannot put the password in the
System properties.  (These are too easy to dump out using various tools.) 

So, I programatically initialize the default SSLContext.  BUT,
NettyConnector does not use the default SSLContext.  It explicitly reads the
above properties and creates its own SSLContext. 

QUESTION: 
- How can I securely pass the truststore and keystore passwords to
NettyConnector? 
- Why doesn't NettyConnector just use the default SSLContext, which can be
configured with the same system parameters as above? 



--
View this message in context: http://activemq.2283324.n4.nabble.com/NettyConnector-explicitly-initializes-SSLContext-instead-of-using-default-tp4727120.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.