How to obfuscate keystore and certificate passwords set in etc/org.ops4j.pax.web.cfg or etc/jetty.xml?

Solution Verified - Updated 5 Aug 2024

Environment

JBoss Fuse 6.x
JBoss A-MQ 6.x

Issue

When configuring SSL in etc/org.ops4j.pax.web.cfg or etc/jetty.xml, how can the passwords for the Java keystore and certificate specified in a non-plaintext format?
Can you please tell me what the the jetty confidential port used for? How does it differ from /etc/org.apache.karaf.shell.cfg : sshPort ?

Resolution

Jetty provides a utility class that can be used to generate obfuscated passwords. These can then be set in etc/jetty.xml instead of plain text passwords for the Java keystore and SSL certificate.
The jetty-all-server jar file in the JBoss Fuse / JBoss A-MQ distribution contains the utility. It can be invoked via command line, passing in the password to be obfuscated. Here is an example

java -cp $JBOSS_FUSE_HOME/system/org/eclipse/jetty/aggregate/jetty-all-server/8.1.14.v20131031/jetty-all-server-8.1.14.v20131031.jar org.eclipse.jetty.util.security.Password "password"
OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
MD5:5f4dcc3b5aa765d61d8327deb882cf99

Next add this password into your SSL configuration in etc/org.ops4j.pax.web.cfg

org.ops4j.pax.web.config.file=etc/jetty.xml
org.osgi.service.http.port=8181
org.osgi.service.http.secure.enabled=true

# For disabling [Poodle SSLv3 vulnerability (CVE-2014-3566)](https://access.redhat.com/articles/1232123)
# its necessary to exclude SSLv3 protocol
# which cannot be configured here. See etc/jetty.xml for such configuration instead
org.osgi.service.http.port.secure=8183
org.ops4j.pax.web.ssl.keystore=etc/jetty-demo-keystore.ks
org.ops4j.pax.web.ssl.password=OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
org.ops4j.pax.web.ssl.keystore.type=JKS
org.ops4j.pax.web.ssl.keypassword=OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
org.ops4j.pax.web.ssl.clientauthwanted=true
org.ops4j.pax.web.ssl.clientauthneeded=false

or an example using etc/jetty.xml

   <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
        <Arg>
          <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
            <Set name="ExcludeProtocols">
              <Array type="java.lang.String">
                <Item>SSLv3</Item>
              </Array>
            </Set>
          </New>
        </Arg>
          </New>
        </Arg>
        <Set name="Port">8185</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="keystore"><SystemProperty name="jetty.home" default="." />/etc/jetty-demo-keystore.ks</Set>
        <Set name="password">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="keyPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="truststore"><SystemProperty name="jetty.home" default="."/>/etc/jetty-demo-keystore.ks</Set>
        <Set name="trustPassword">password</Set>
      </New>
    </Arg>
  </Call>

SBR

FuseSource

Product(s)

Tags

security

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.