2

I need to set the following variables before invoking remote queue.

System.setProperty("javax.net.ssl.trustStore","C:\\certs\\trustStore.jks");
System.setProperty("javax.net.ssl.keyStore","C:\\keystore\\keyStore.jks");
System.setProperty("javax.net.ssl.keyStorePassword","Demo1234");
System.setProperty("javax.net.ssl.trustStorePassword","Demo1234");

The passwords are exposed here. What is the best way to encrypt the passwords?

user207421
  • 305,947
  • 44
  • 307
  • 483
DarkCrow
  • 785
  • 2
  • 8
  • 29
  • What risk are you trying to obviate? If the problem is that you never want to have the plain-text password in memory, then it looks like the library you're using will not allow you to do that. – BPS Mar 23 '16 at 15:15
  • How else we can do that if I dont want to have a plain text? – DarkCrow Mar 23 '16 at 17:24

1 Answers1

2

At some point, your private key/key store password must be visible to enable secure communications to take place. It needs to be stored securely within your web/app server. And your code base needs to be securely stored and only accessible to the people who need to see it. You could store it encrypted somewhere and decrypt it for use, but your encryption and decryption algorithm would still be visible and potentially emulated, so at some point, the means to access the clear text will be available and it's merely a matter of ensuring that it's only available to as few people as possible and kept from prying eyes via your network security.

Encryption technique here, if you need it: How to encrypt String in Java

ManoDestra
  • 6,325
  • 6
  • 26
  • 50
  • Can you give a code sample of how to encrypt? I dont mind the password getting exposed or decrypted during the runtime..But I dont want to store the password as a plain text. – DarkCrow Mar 23 '16 at 17:26
  • 1
    It's going to be stored somewhere regardless. Even encrypted, the algorithm to decrypt it will be freely available and easily replicated to get the plain text again. But, if you really wish to encrypt as a minor deterrent... http://stackoverflow.com/questions/1205135/how-to-encrypt-string-in-java – ManoDestra Mar 23 '16 at 17:36
  • 1
    @Deepak *But I dont want to store the password as a plain text.* But you plan on storing the means for decrypting that password as plain text. – Andrew Henle Mar 23 '16 at 17:39
  • 1
    Exactly. Your password will be on the server in some form. There's no way of fully protecting that password really. Either the password is directly in the source, or it's encrypted with the means to decrypt it easily replicable in the source. You can't protect this password in the source. You can protect it on the server, if you encrypt it and store it elsewhere (e.g. database or file system) and then decrypt it from inside your app, but if someone has access to the source, then they can get the plain text. I'd be curious as to what you're trying to protect against. What's your use case here? – ManoDestra Mar 23 '16 at 17:43
  • I need to do a handshake between my application and the MQ server before accessing the queues.The MQ server demands self signed certs which I need to make it available. MQQueueConnectionFactory factory = new MQQueueConnectionFactory(); I am trying to do this as a spring batch.So I cant really use the server here.It runs as a standalone spring JMS code. – DarkCrow Mar 24 '16 at 10:05
  • 1
    What are you trying to protect against here? This password is in source code, so won't be available to anyone except developers or those who are able to access source. And providing you aren't making the JAR available on the public internet, then there should be no major problem to worry about. I'm just curious as to where the requirement is coming in to obfuscate this password. It seems rather unnecessary. If you encrypt it, it will still be easily decrypted by anyone with access to the source. And if they don't, then they wouldn't see the plain text in the first place. See what I mean? – ManoDestra Mar 24 '16 at 13:08
  • Yeah i got it. Thanks – DarkCrow Apr 05 '16 at 10:56