Hello:
I've got a REST web service running on an internal network written using JAX-RS and CXF 2.2.7, and I've used the basic_https example in samples/jax_rs to encrypt the communications between client and server. A bit about our setup: 1) I'm using a simple self-signed certificate generated with keytool as this is more than adequate for our needs 2) I've disabled client authentication as this is also adequate for what I'm trying to do. The issue I'm trying to resolve is the following: currently the XML configuration file from the server requires sec:keyManagers and sec:keyStore entries which specify the keyPassword and keystore password. I'd very much like to not have these passwords appearing in plain text in the configuration file, but I'd also rather not have to prompt the user for the password every time the server is restarted. Is it safe to delete the file after the server has started up (assuming I generate a new certificate every time I restart the server)? I tried this using the sample server and it seemed to work fine: i.e. the server kept running and serving requests even though the config file and the JKS cert were moved after startup, I just want to make sure that wasn't a fluke. Thanks, -S
