从进程列表中隐藏密钥库密码 [英] hiding keystore password from process list
问题描述
我有一个Linux服务器和一个Java应用程序.我正在使用Java 1.7运行此应用程序.我想启用JMX进行监视. JMX连接应通过SSL保护.到目前为止很容易.
I have a Linux server and a java application. I am using Java 1.7 to run this application. I want to enable JMX for monitoring purposes. The JMX connection should be secured by SSL. So far so easy.
我的问题:如何以安全的方式告诉jvm密钥库密码?到目前为止,仅当我通过命令行参数"-Djavax.net.ssl.keyStorePassword = mypwd"传递密码时,ssl连接才有效.看来必须在初始化jvm时设置密码.
My problem: How do I tell the jvm the keystore-password in a secure way? So far the ssl connection only works if I pass the password over the command line parameter "-Djavax.net.ssl.keyStorePassword=mypwd". It seems that the password must be set on initialising of the jvm.
如果我在控制台上查看进程列表(ps -ef),则可以看到我的Java进程-但带有所有命令行参数.因此,对于可以列出活动进程(例如通过snmp代理)的每个人,我的密钥库密码均以纯文本列出.如何从进程列表中隐藏密码?
If I am looking at the process list (ps -ef) on the console I can see my java process - but with all the command line parameters. So my keystore password is listed in plain text for everyone who can list the active processes (eg over a snmp agent). How can I hide the password from the process list?
我尝试使用配置文件(com.sun.management.config.file).它适用于所有jmx特定参数.但是我的密码被忽略了.
I have tried to use a config file (com.sun.management.config.file). It works well for all jmx specific parameters. But my password is ignored.
是否真的以纯文本格式在命令行参数中提供密码?
Is providing the password in a command line parameter in plain text realy the only way?
是-我知道Java 1.7不能使用.如果Java 1.8确实解决了此问题,我将立即进行更改.
Yes - I know that Java 1.7 ist out of service. If Java 1.8 actualy fixes this problem I will change immediatly.
感谢帮助!
推荐答案
如果执行System.setProperty("javax.net.ssl.keyStorePassword", "mypwd") 之前,则可以在程序中使用任何SSL功能.这意味着您应该将其设置为尽早在main被调用之后进行设置.您可以根据需要先加载自己的属性文件(只有运行JVM的用户才能读取),然后才能存储密码.
If you do System.setProperty("javax.net.ssl.keyStorePassword", "mypwd") before you use any of the SSL functionality in your program it should work. That means you should aim to set it as early after main has been called as you can. You can load your own properties file before if you like (readable only by the user running the JVM), where the password can be stored.
更新
管理所需的系统属性也可以在配置文件中设置.来自使用JMX技术进行监视和管理 :
System properties needed for management can also be set in a configuration file. From Monitoring and Management Using JMX Technology:
您可以在 配置文件或在命令行上.在上指定的属性 命令行覆盖配置文件中的属性.默认值 配置文件的位置是 JRE_HOME
/lib/management/management.properties. Java VM读取此内容 命令行属性之一的文件com.sun.management.jmxremote或com.sun.management.jmxremote.port是 设置.
You can set out-of-the-box monitoring and management properties in a configuration file or on the command line. Properties specified on the command line override properties in a configuration file. The default location for the configuration file is JRE_HOME
/lib/management/management.properties. The Java VM reads this file if either of the command-line propertiescom.sun.management.jmxremoteorcom.sun.management.jmxremote.portare set.
该文档适用于Java 1.8,但我想同样适用于Java 1.7.如果没有,我想您必须按照建议进行切换.
This documentation is for Java 1.8, but I guess the same applies to Java 1.7. If not, I guess you have to switch as you suggested.
这篇关于从进程列表中隐藏密钥库密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
