You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2024/01/26 14:39:00 UTC

[jira] [Commented] (QPID-8667) [Broker-J] Database connection with client certificate authentication exposes keystore / truststore passwords

    [ https://issues.apache.org/jira/browse/QPID-8667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17811303#comment-17811303 ] 

ASF GitHub Bot commented on QPID-8667:
--------------------------------------

dakirily opened a new pull request, #236:
URL: https://github.com/apache/qpid-broker-j/pull/236

   This PR addresses JIRA [QPID-8667](https://issues.apache.org/jira/browse/QPID-8667), adding functionality to hide keystore / truststore passwords when configuring database connection with client certificate authentication




> [Broker-J] Database connection with client certificate authentication exposes keystore / truststore passwords
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-8667
>                 URL: https://issues.apache.org/jira/browse/QPID-8667
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-9.1.0
>            Reporter: Daniil Kirilyuk
>            Priority: Minor
>             Fix For: qpid-java-broker-9.1.1
>
>
> JDBC allows to supply datasource parameters via JDBC connection string in form: jdbc:<vendor>://<hostname>:<port>/<database>?key1=value1&key2=value2&key3=value3
> Relevant configuration for a virtualhost for PostgreSQL looks like following:
> {code:java}
> {
>   "type" : "JDBC",
>   "connectionPoolType" : "BONECP",
>   "connectionUrl": "jdbc:postgresql://<hostname>:<port>/<database_name>?ssl=true&sslmode=verify-full&sslkey=<path_to_ssl_key_file>&sslpassword=<ssl_key_file_password>&sslrootcert=<path_to_root_certificate>",
>   "username": "QPID",
>   "password": null
> } {code}
> To make hide sensitive parameters like keystore / truststore passwords configuration should reference a keystore or truststore instead providing the RDBMS-specific parameter names:
> {code:java}
> {
>   "name" : "default",
>   "type" : "JDBC",
>   "connectionPoolType" : "BONECP",
>   "connectionUrl" : "jdbc:postgresql://<hostname>:<port>/<database_name>?ssl=true&sslmode=verify-full&sslrootcert=<path_to_root_certificate>",
>   "keyStore" : "keystore-database",
>   "keyStorePasswordPropertyName" : "sslpassword",
>   "keyStorePathPropertyName" : "sslkey",
>   "trustStore" : null,
>   "trustStorePasswordPropertyName" : null,
>   "trustStorePathPropertyName" : null,
>   "username" : "QPID"
> }{code}
> Here keystore "keystore-database" is referenced, containing path to the keystore as well as its password (which is hidden). Path to the keystore should be injected into the JDBC connection string using the parameter "keyStorePathPropertyName", keystores password should be injected into JDBC connection string using the parameter "keyStorePasswordPropertyName".



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org