I have seen some architectures where machine certificates are used to gain access to a directory service to access resource information such as passwords to a keystore.
The different solutions to the same core problem doesn't really give a lot of protection, but each has their benefits. If the server is rooted, then the malicious user may well have access to such credentials/resources, if they have time to pay around. Using an indexing to obtain the password such as LDAP et al allows for greater ease of maintenance if one has a large scale of machines to manage. On the other hand, storing passwords in property files, with correct ACL's makes system maintenance pretty easy - but the attack could quite easily grep this information. IMHO - the best solution depends on your threat models. Cheers, R. -----Original Message----- From: Fredrik Hesse [mailto:[EMAIL PROTECTED] Sent: Monday, April 25, 2005 12:53 PM To: 'john bart '; '[EMAIL PROTECTED] '; '[email protected] '; '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] ' Subject: Re: Java keystore password storage Indeed a classic problem, unfortunately there are no platform-independant services for storing things like this. But a config-file with proper access-restrictions goes a long way.. And I guess thats the solution you're leaning against if I read between the lines. 3 is good since it doesn't require storage of the password on disk, otoh it requires human intervention which you probably want to avoid. I'm no expert on LDAP, but could anyone tell if you use a directory service to pull the password from? Regards Fredr!k -----Ursprungligt meddelande----- Från: john bart Till: [EMAIL PROTECTED]; [email protected]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Skickat: 2005-04-25 09:55 Ämne: Java keystore password storage Hello to all the list. I need some advice on where to store the keystore's password. Right now, i have something like this in my code: keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream("keystore.jks"),"PASSWORD"); the question is, where do i store the password string? all of the possibilities that i thought about are not good enough: 1) storing it in the code - obviously not. 2) storing it in a seperate config file is also not secure. 3) entering the password at runtime is not an option. 4) encrypting the password - famous chicken and egg problem (storing the encryption key) Any ideas? _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
