***UNCHECKED*** [jira] [Comment Edited] (SOLR-10307) Provide SSL/TLS keystore password a more secure way

Fri, 26 Jan 2018 07:58:30 -0800 

    [ 
https://issues.apache.org/jira/browse/SOLR-10307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341189#comment-16341189
 ] 

Michael Suzuki edited comment on SOLR-10307 at 1/26/18 3:57 PM:
----------------------------------------------------------------

[~manokovacs] I noticed the following line of code in SSLConfigurations.java:
{code:java}
if (isEmpty(System.getProperty(SysProps.SSL_TRUST_STORE_PASSWORD))
    && !(isEmpty(clientTruststorePassword) && isEmpty(truststorePassword))) 
{{code}
Why do we check for SysProps.SSL_TRUST_STORE_PASSWORD, when that is populated 
the SSL fails to start correctly.
To recreate the issue start solr with ssl and pass the following:
{code} -Djavax.net.ssl.keyStorePassword=yourpassword. {code}
As the System.getProperty(SysProps.SSL_TRUST_STORE_PASSWORD is not empty it 
will skip the block of code and as a result it is unaware of the password and 
defaults to secret as per the jetty-ssl.xml


was (Author: michaelsuzuki):
[~manokovacs] I noticed the following line of code in SSLConfigurations.java:
{code:java}
if (isEmpty(System.getProperty(SysProps.SSL_TRUST_STORE_PASSWORD))
    && !(isEmpty(clientTruststorePassword) && isEmpty(truststorePassword))) 
{{code}
Why do we check for SysProps.SSL_TRUST_STORE_PASSWORD, when that is populated 
the SSL fails to start correctly.
To recreate the issue start solr with ssl and pass the following:
{code} -Djavax.net.ssl.keyStorePassword=yourpassword. {code}
As the System.getProperty(SysProps.SSL_TRUST_STORE_PASSWORD is not empty it 
will skip the block of code, as a result it is unaware of the password and 
defaults to secret as per the jetty-ssl.xml

> Provide SSL/TLS keystore password a more secure way
> ---------------------------------------------------
>
>                 Key: SOLR-10307
>                 URL: https://issues.apache.org/jira/browse/SOLR-10307
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>            Reporter: Mano Kovacs
>            Assignee: Mark Miller
>            Priority: Major
>             Fix For: 6.7, 7.0
>
>         Attachments: SOLR-10307.2.patch, SOLR-10307.patch, SOLR-10307.patch, 
> SOLR-10307.patch
>
>
> Currently the only way to pass server and client side SSL keytstore and 
> truststore passwords is to set specific environment variables that will be 
> passed as system properties, through command line parameter.
> First option is to pass passwords through environment variables which gives a 
> better level of protection. Second option would be to use hadoop credential 
> provider interface to access credential store.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to