In a previous post
i wrote how to Secure Coherence communications for FMW SOA by enabling
SSL through a Coherence override file. Setting up SSL involves setting
up a keystore and truststore which are protected by a passsword. To
access the key- and truststores Coherence retrieves the required
passwords from the elements in the Coherence override files. Currently
Coherence does not support encryption of these password element values. A
possible solution to prevent clear-text keystore passwords in the
Coherence override files is to use a System Property override for these password elements.
You can override element values in the Coherence override file using the attribute system-property.
The value assigned to this attribute is the System Property containing
the value overriding the element value in de Coherence override file.
Let’s make it more clear using a snippet from a Coherence override file
below. The default private keystore password at line 8 is intentionally
left empty and the attribute system-property is added to the password element. The value assigned to the attribute system-property, coh.override.keyst.pwd, is the name of the System Property which is used to override the value in the password element.
now we can set the value for the private keystore password using the
System Property ‘coh.override.keyst.pwd’. You could set this system
property for example by adding the next two lines to the
But really, this is not a great improvement, the
clear-text password has moved from one file to another! Also the
password now can be retrieved by anyone who has access to the system by
displaying the active processes. What we have learned from here is that
the use of System Properties allows us override the value for the
password elements in the Coherence override file. If there is a
possibility to read the keystore password values from an encrypted file
and set the corresponding system properties when starting a Managed
Server the it would improve the protection of the keystore passwords.
yes, it is possible. For those who are not interested in the nitty
gritty details but just want to store the keystore passwords in the
Coherence Override file in a secure manner here the concise installation
Download the Weblogic Startup classes in CoherenceKeystorePasswordCipher.jar here.
Copy this jar into the lib folder of your domain_home and add the jar file to the classpath.
This can be done, for example, by adding the next line to the setDomainEnv.sh
Edit the Coherence override file and change all elements for which you want to secure the password.
Remove the value (password) from the password element.
Add the attribute system-property to the password element and assign a descriptive and unique system property name
For example, change Read the complete article here.
WebLogic Partner Community
For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.
Blog Twitter LinkedIn Forum Wiki