Protecting passwords in Java

Storing keystore and private key passwords as plain text poses a security risk so Advanced Message Security provides a tool that can scramble those passwords using a user's key.


Before starting

The keystore.conf file owner must ensure that only the file owner is entitled to read and write to the file. The passwords protection described in this topic, is only an additional measure of protection. Additionally, we should perform this procedure on a secure system.


Procedure

  1. Edit the keystore.conf files to include all the required information, including the passwords that require protecting. 
    jceks.keystore = c:/Documents and Settings/Alice/AliceKeystore
jceks.certificate = AliceCert
jceks.encrypted = no
jceks.keystore_pass = passw0rd
jceks.key_pass = passw0rd
jceks.provider = IBMJCE
  2. Place the encryption key to encrypt the passwords inside a file accessible to the user protecting the keystore.conf file: 
    ThisIsAnExampleEncryptionKey
  3. Run the runamscred command, to protect the keystore.conf file providing the encryption key file. 
    runamscred -f <location of keystore.conf> -sf <location of encryption keyfile>
  4. Verify that the keystore.conf file has been protected and contains encrypted passwords.


Example

The following example shows what a protected keystore.conf file looks like:
jceks.keystore = c:/Documents and Settings/Alice/AliceKeystore
jceks.certificate = AliceCert
jceks.encrypted = yes
jceks.keystore_pass = 
<AMS>1!62K/a4RinT+bks4RjFWx4A==!Vhi/RjIN2FH5qStUJ/0hsgKyn2IdMuhanemRRDrJq
HM=
jceks.key_pass = 
<AMS>1!qmnxY++rsOUtZfDSgwcR1g==!VmWVREdVkNp1xYJstvuW64ph5vxxf7SPoqtsXxYh2
Tk=
jceks.provider = IBMJCE