You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org> on 2005/11/05 23:46:19 UTC
[jira] Created: (GERONIMO-1135) Keystore password in System.properties
Keystore password in System.properties
--------------------------------------
Key: GERONIMO-1135
URL: http://issues.apache.org/jira/browse/GERONIMO-1135
Project: Geronimo
Type: Bug
Components: security
Versions: 1.0-M5
Reporter: Aaron Mulder
Priority: Critical
Fix For: 1.0
If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1135) Keystore password in
System.properties
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=all ]
Vamsavardhana Reddy updated GERONIMO-1135:
------------------------------------------
Fix Version/s: 2.0-M1
Assignee: Vamsavardhana Reddy
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.0-M5
> Reporter: Aaron Mulder
> Assigned To: Vamsavardhana Reddy
> Priority: Critical
> Fix For: 1.2, 2.0-M1
>
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1135) Keystore password in System.properties
Posted by "Vamsavardhana Reddy (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=comments#action_12357966 ]
Vamsavardhana Reddy commented on GERONIMO-1135:
-----------------------------------------------
As of revision 345477, the following plan.xml files have javax.net.ssl.keystorePassword=... entries
configs\client-system\src\plan\plan.xml
configs\rmi-naming\src\plan\plan.xml
modules\assembly\src\plan\client-system-plan.xml
modules\assembly\src\plan\naming-server-plan.xml
I hope this info is helpful.
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Critical
> Fix For: 1.1
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1135) Keystore password in System.properties
Posted by "Matt Hogstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=all ]
Matt Hogstrom updated GERONIMO-1135:
------------------------------------
Fix Version: 1.1
(was: 1.0)
Moving to 1.1 for a resolution. Sounds like we need a way to encrypt passwords that are stored in clear text. Anyone know of anything. BouncyCastle maybe :)
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Critical
> Fix For: 1.1
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1135) Keystore password in
System.properties
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=all ]
Aaron Mulder updated GERONIMO-1135:
-----------------------------------
Assign To: (was: Aaron Mulder)
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Type: Bug
> Security: public(Regular issues)
> Components: security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Critical
> Fix For: 1.2
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1135) Keystore password in
System.properties
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=comments#action_12451052 ]
Vamsavardhana Reddy commented on GERONIMO-1135:
-----------------------------------------------
In server built from branches\1.1 I have examined through debugger that SystemProperties does not contain javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword.
In branches\1.2 no plan xml file has javax.net.ssl.keystorePassword=... entry. (Only configs\rmi-naming\src\plan\plan.xml has an entry, but it is commented out and so it won't count.)
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Critical
> Fix For: 1.2
>
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1135) Keystore password in
System.properties
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=comments#action_12455876 ]
Vamsavardhana Reddy commented on GERONIMO-1135:
-----------------------------------------------
I think the "SystemProperties" GBean definition can be eliminate altogether from configs\rmi-naming\src\plan\plan.xml .
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Critical
> Fix For: 1.2
>
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1135) Keystore password in
System.properties
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=all ]
Aaron Mulder updated GERONIMO-1135:
-----------------------------------
Fix Version: 1.1
(was: 1.2)
Assign To: Aaron Mulder
I commented this out of the main configuration for 1.1, but forgot about the other ones. Should make sure it's commented out everywhere for 1.1 and then perhaps remove for 1.2
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Type: Bug
> Security: public(Regular issues)
> Components: security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Assignee: Aaron Mulder
> Priority: Critical
> Fix For: 1.1
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1135) Keystore password in System.properties
Posted by "Kevan Miller (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=comments#action_12357889 ]
Kevan Miller commented on GERONIMO-1135:
----------------------------------------
Matt, the "properties" are properties as in java.lang.System.getProperties(). Encryption isn't really the issue. At present, any deployed app could retrieve these password properties. It's very easy to keep these passwords out of the System properties. You can pass these properties in directly to the Factories, rather than setting them as properties. I'll try to have a look at this later today...
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Critical
> Fix For: 1.1
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
Re: [jira] Closed: (GERONIMO-1135) Keystore password in System.properties
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
David,
I guess the better place for that would be in the documentation. Do we want
to have redundant GBean definitions in configurations just to show how to
use them? Or am I missing some point?
Vamsi
On 12/8/06, David Jencks <da...@yahoo.com> wrote:
>
> I kinda think we might want to keep the empty SystemProperties gbean
> to make it more obvious where to set them in config.xml. If we do
> this we should include an empty override in config.xml. What do
> others think?
>
> thanks
> david jencks
>
> On Dec 7, 2006, at 11:21 AM, Vamsavardhana Reddy (JIRA) wrote:
>
> > [ http://issues.apache.org/jira/browse/GERONIMO-1135?page=all ]
> >
> > Vamsavardhana Reddy closed GERONIMO-1135.
> > -----------------------------------------
> >
> > Resolution: Fixed
> >
> > Removing the keystore related system properties did not seem to
> > break anything. Removed "SystemProperties" GBean definition
> > altogether from the plan since there are no properties to set.
> >
> > Fixed in rev 483612.
> >
> >> Keystore password in System.properties
> >> --------------------------------------
> >>
> >> Key: GERONIMO-1135
> >> URL: http://issues.apache.org/jira/browse/
> >> GERONIMO-1135
> >> Project: Geronimo
> >> Issue Type: Bug
> >> Security Level: public(Regular issues)
> >> Components: security
> >> Affects Versions: 1.0-M5
> >> Reporter: Aaron Mulder
> >> Assigned To: Vamsavardhana Reddy
> >> Priority: Critical
> >> Fix For: 1.2, 2.0-M1
> >>
> >>
> >> If you look at the System properties, the keystore and trust store
> >> passwords are in there. I'm not sure who puts them in there, but
> >> we need to find a way to stop that -- or else prevent applications
> >> from reading them?
> >
> > --
> > This message is automatically generated by JIRA.
> > -
> > If you think it was sent incorrectly contact one of the
> > administrators: http://issues.apache.org/jira/secure/
> > Administrators.jspa
> > -
> > For more information on JIRA, see: http://www.atlassian.com/
> > software/jira
> >
> >
>
>
Re: [jira] Closed: (GERONIMO-1135) Keystore password in System.properties
Posted by David Jencks <da...@yahoo.com>.
I kinda think we might want to keep the empty SystemProperties gbean
to make it more obvious where to set them in config.xml. If we do
this we should include an empty override in config.xml. What do
others think?
thanks
david jencks
On Dec 7, 2006, at 11:21 AM, Vamsavardhana Reddy (JIRA) wrote:
> [ http://issues.apache.org/jira/browse/GERONIMO-1135?page=all ]
>
> Vamsavardhana Reddy closed GERONIMO-1135.
> -----------------------------------------
>
> Resolution: Fixed
>
> Removing the keystore related system properties did not seem to
> break anything. Removed "SystemProperties" GBean definition
> altogether from the plan since there are no properties to set.
>
> Fixed in rev 483612.
>
>> Keystore password in System.properties
>> --------------------------------------
>>
>> Key: GERONIMO-1135
>> URL: http://issues.apache.org/jira/browse/
>> GERONIMO-1135
>> Project: Geronimo
>> Issue Type: Bug
>> Security Level: public(Regular issues)
>> Components: security
>> Affects Versions: 1.0-M5
>> Reporter: Aaron Mulder
>> Assigned To: Vamsavardhana Reddy
>> Priority: Critical
>> Fix For: 1.2, 2.0-M1
>>
>>
>> If you look at the System properties, the keystore and trust store
>> passwords are in there. I'm not sure who puts them in there, but
>> we need to find a way to stop that -- or else prevent applications
>> from reading them?
>
> --
> This message is automatically generated by JIRA.
> -
> If you think it was sent incorrectly contact one of the
> administrators: http://issues.apache.org/jira/secure/
> Administrators.jspa
> -
> For more information on JIRA, see: http://www.atlassian.com/
> software/jira
>
>
[jira] Closed: (GERONIMO-1135) Keystore password in
System.properties
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=all ]
Vamsavardhana Reddy closed GERONIMO-1135.
-----------------------------------------
Resolution: Fixed
Removing the keystore related system properties did not seem to break anything. Removed "SystemProperties" GBean definition altogether from the plan since there are no properties to set.
Fixed in rev 483612.
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.0-M5
> Reporter: Aaron Mulder
> Assigned To: Vamsavardhana Reddy
> Priority: Critical
> Fix For: 1.2, 2.0-M1
>
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1135) Keystore password in
System.properties
Posted by "Matt Hogstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=all ]
Matt Hogstrom updated GERONIMO-1135:
------------------------------------
Fix Version: 1.2
(was: 1.1)
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Type: Bug
> Security: public(Regular issues)
> Components: security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Assignee: Aaron Mulder
> Priority: Critical
> Fix For: 1.2
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1135) Keystore password in System.properties
Posted by "Kevan Miller (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=comments#action_12357808 ]
Kevan Miller commented on GERONIMO-1135:
----------------------------------------
>From my scan of the code, looks like the properties are being set by security\src\java\org\apache\geronimo\security\SecurityServiceImpl.java
This isn't my cup-of-tea, but it seems that the properties are the only mechanism for specifying these passwords.
I've seen some doc (http://java.sun.com/products/jsse/install.html) that implies the System properties are cleared when the default SSLContext and default TrustManagerFactory are initialized. So, it may be a matter of performing the appropriate initialization and the appropriate time. Barring that, we'd need to have the security manager block access.
I'll have a look...
> Keystore password in System.properties
> --------------------------------------
>
> Key: GERONIMO-1135
> URL: http://issues.apache.org/jira/browse/GERONIMO-1135
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Critical
> Fix For: 1.0
>
> If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira