Indeed a classic problem, unfortunately there are
no platform-independant services for storing things like this.
But a config-file with proper access-restrictions goes a long way..
And I guess thats the solution you're leaning against if I read
between the lines.
3 is good since it doesn't require storage of the password on
disk, otoh it requires human intervention which you probably
want to avoid.
I'm no expert on LDAP, but could anyone tell if you use a
directory service to pull the password from?
Regards
Fredr!k
-----Ursprungligt meddelande-----
Från: john bart
Till: comp.lang.java.security@news2mail.com; SC-L@securecoding.org;
secprog@securityfocus.com; vuln-dev@securityfocus.com;
webappsec@securityfocus.com
Skickat: 2005-04-25 09:55
Ämne: Java keystore password storage
Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:
keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");
the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)
Any ideas?
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
