Hiding plain text password in JVM startup argumnets. " ps -ef | grep 'javax.net.ssl.keyStorePassword'"

Question

The spring boot application's startup arguments having the trust and keystore details with plain text password.

Now I want to hide this plain text password details from process:

ps -ef | grep 'javax.net.ssl.keyStorePassword'

I have created different properties file with below details. How we can add this properties file in startup arguments?

javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword
javax.net.ssl.keyStoreType
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.trustStoreType

apangin · Answer 1 · 2020-01-13T22:54:39.043

It is possible to preload properties file using a Java Agent.

The agent code will be very simple.

StartupProps.java

import java.io.*;

public class StartupProps {

    public static void premain(String fileName) throws IOException {
        try (FileReader reader = new FileReader(fileName)) {
            System.getProperties().load(reader);
        }
    }
}

The agent also requires a manifest file:

MANIFEST.MF

Premain-Class: StartupProps

Now the agent needs to be compiled and packed into a .jar together with the manifest with the following command:

jar cvfm startupprops.jar MANIFEST.MF StartupProps.class

Now you can start your Java application with an agent, specifying the initial properties file:

java -javaagent:startupprops.jar=/path/to/initial.properties <args>

For your convenience, I've attached the prebuilt startupprops.jar

Hiding plain text password in JVM startup argumnets. " ps -ef | grep 'javax.net.ssl.keyStorePassword'"

1 Answers1

Linked