On 29/11/2011 20:39, Mark Kharitonov wrote: > Hi. > I have followed the Restlet HTTPS guide > (http://wiki.restlet.org/docs_2.0/13-restlet/27-restlet/46-restlet/213-restlet.html) > to configure HTTPS. In particular, it results in a code similar to this one: > > parameters.add("sslContextFactory", PkixSslContextFactory.class.getName()); > parameters.add("keystorePath", "c:\\dev\\poc\\il-mark-lt.jks"); > parameters.add("keystorePassword", PASSWORD); > parameters.add("keyPassword", PASSWORD); > parameters.add("keystoreType", "JKS"); > > Where the PASSWORD is the password used to protect the key store as well as > the used key value pair. My question is what is the importance of this > password? It appears in clear text, so either it is unimportant (please, > explain why) or this is a severe security hole (please, explain how to fix > it).
The password is there to protect access to the private keys and the keystore. In a server, you will almost certainly want to grant access to your key in a non-attended environment, i.e. let the application read the private key with the user needing to type in anything. For this, you'll need to configure your server to have access to the private key, by giving it the password for the keystore. Most servers do this (unless you go down the route of more granular access to the key, via the OS for example with the KeyChain on OSX). Apache Httpd, for example, doesn't use a password for its HTTPS configuration, but requires you not to have protected the private key with a password, which ends up being the same. In a production environment (even in a dev. environment in fact), you probably shouldn't hard-code the password in your source code, but read it from a configuration file, which would not be readable by any user other than the one running the server. Best wishes, Bruno. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2889304
