Securing passwords in Coherence override files by Peter van Nes

Posted: May 1, 2015 in WebLogic
Tags: , , , , , ,

 

clip_image002In a previous post i wrote how to Secure Coherence communications for FMW SOA by enabling SSL through a Coherence override file. Setting up SSL involves setting up a keystore and truststore which are protected by a passsword. To access the key- and truststores Coherence retrieves the required passwords from the <password> elements in the Coherence override files. Currently Coherence does not support encryption of these password element values. A possible solution to prevent clear-text keystore passwords in the Coherence override files is to use a System Property override for these password elements.

You can override element values in the Coherence override file using the attribute system-property. The value assigned to this attribute is the System Property containing the value overriding the element value in de Coherence override file. Let’s make it more clear using a snippet from a Coherence override file below. The default private keystore password at line 8 is intentionally left empty and the attribute system-property is added to the password element. The value assigned to the attribute system-property, coh.override.keyst.pwd, is the name of the System Property which is used to override the value in the password element.

So now we can set the value for the private keystore password using the System Property ‘coh.override.keyst.pwd’. You could set this system property for example by adding the next two lines to the setDomainEnv.sh.

But really, this is not a great improvement, the clear-text password has moved from one file to another! Also the password now can be retrieved by anyone who has access to the system by displaying the active processes. What we have learned from here is that the use of System Properties allows us override the value for the password elements in the Coherence override file. If there is a possibility to read the keystore password values from an encrypted file and set the corresponding system properties when starting a Managed Server the it would improve the protection of the keystore passwords.

And yes, it is possible. For those who are not interested in the nitty gritty details but just want to store the keystore passwords in the Coherence Override file in a secure manner here the concise installation instructions first.

Download the Weblogic Startup classes in CoherenceKeystorePasswordCipher.jar here.
Copy this jar into the lib folder of your domain_home and add the jar file to the classpath.
This can be done, for example, by adding the next line to the setDomainEnv.sh
POST_CLASSPATH="${DOMAIN_HOME}/lib/CoherenceKeystorePasswordCipher.jar${CLASSPATHSEP}${POST_CLASSPATH}"

Edit the Coherence override file and change all elements for which you want to secure the password.

Remove the value (password) from the password element.

Add the attribute system-property to the password element and assign a descriptive and unique system property name

For example, change Read the complete article here.

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Forum Wiki

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s