Secure Coding mailing list archives
RE: Java keystore password storage
From: "Scott, Richard" <Richard.Scott () bestbuy com>
Date: Wed, 18 May 2005 16:45:23 +0100
You could of course store it in LDAP but then you are faced with how do you limit access to the LDAP tree. You could of course use a machine cert, and base access on certs to the LDAP tree. I have seen implementations that on start up the credentials are obtained from LDAP and cached. Access it limited to machine level certificates. This prevents some one access LDAP from unauthorized machines but may put extra emphasis on securing access to the server storing the machine certificate. Such a set up is also dependant on your server/application criticality and being able to depend on LDAP from an operational perspective. If you protect the LDAP information using a password you walk the same path that lead you on this journey. Cheers, R. -----Original Message----- From: Fredrik Hesse [mailto:[EMAIL PROTECTED] Sent: Monday, April 25, 2005 12:53 PM To: 'john bart '; '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] ' Subject: Re: Java keystore password storage Indeed a classic problem, unfortunately there are no platform-independant services for storing things like this. But a config-file with proper access-restrictions goes a long way.. And I guess thats the solution you're leaning against if I read between the lines. 3 is good since it doesn't require storage of the password on disk, otoh it requires human intervention which you probably want to avoid. I'm no expert on LDAP, but could anyone tell if you use a directory service to pull the password from? Regards Fredr!k -----Ursprungligt meddelande----- FrÃ¥n: john bart Till: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Skickat: 2005-04-25 09:55 Ãmne: Java keystore password storage Hello to all the list. I need some advice on where to store the keystore's password. Right now, i have something like this in my code: keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); the question is, where do i store the password string? all of the possibilities that i thought about are not good enough: 1) storing it in the code - obviously not. 2) storing it in a seperate config file is also not secure. 3) entering the password at runtime is not an option. 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Any ideas? _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Current thread:
- Re: Java keystore password storage, (continued)
- Re: Java keystore password storage Blue Boar (Apr 26)
- Re: Java keystore password storage ljknews (Apr 26)
- RE: Java keystore password storage Chris Matthews (Apr 26)
- Re: Java keystore password storage Nash (Apr 27)
- Re: Java keystore password storage Blue Boar (Apr 26)
- Re: Java keystore password storage Mark (May 03)
- RE: Java keystore password storage Goertzel Karen (Apr 25)
- Re: Java keystore password storage Fredrik Hesse (Apr 25)
- RE: Java keystore password storage Michael Howard (Apr 25)
- RE: Java keystore password storage john bart (Apr 26)
- RE: Java keystore password storage Michael Howard (Apr 26)
- RE: Java keystore password storage Scott, Richard (May 18)
- RE: Java keystore password storage Scott, Richard (Jun 24)