Protecting passwords in Java™

Storing keystore and private key passwords as plain text poses a security risk so Advanced Message Security provides a tool that can scramble those passwords using a user's key, which is available in the keystore file.


Before you begin

The keystore.conf file owner must ensure that only the file owner is entitled to read the file. The passwords protection described in this chapter is only an additional measure of protection.


Procedure

  1. Edit the keystore.conf files to include path to the keystore and users label. 
    jceks.keystore = c:/Documents and Setting/Alice/AliceKeystore
jceks.certificate = AliceCert
jceks.provider = IBMJCE
  2. To run the tool, issue: 
    java -cp com.ibm.mq.jmqi.jar com.ibm.mq.ese.config.KeyStoreConfigProtector keystore_password private_key_password
    An output with encrypted passwords is generated and can be copied to the keystore.conf file. To copy the output to the keystore.conf file automatically, run: 
    java -cp com.ibm.mq.jmqi.jar com.ibm.mq.ese.config.KeyStoreConfigProtector keystore_password private_key_password >> ~/path_to_keystore/keystore.conf
    Note:

    For a list of default locations of keystore.conf on various platforms, see Use keystores and certificates.


Example

Here is an example of such output: 
#Fri Jul 30 15:20:29 CEST 2010
jceks.key_pass=MMXh997n5ZOr8uRlJmc5qity9MN2CggGBMKCDxdbn1AyPklvdgTsOLG6X3C1YT7oDzwaqZFlOR4t\r\nmZsc7JGAx8nqqxLnAucdGn0NWo6xnjZB1n501YGol2k/PhaQHhFXKMAU9dKg0f8djOtCAOlX4ETe\r\nfYl9LBUt2wk87uM7dSs\=
jceks.keystore_pass=OIdeayBnSCfLG4cFuxEVrk6SYyAsdSPpDqgPf16s9s1M04cqZjNbhgjoA2EXonudHZHH+4s2drvQ\r\nCUvQgu9GuaBMJK2F2OjtHJJ1Y4BVeLW2c2okgawo/W2J1AdUYKkJ0raYTkDouLaTYTQeulyG0xIl\r\niD2si1xUCxhYvvyhbbY\=
jceks.encrypted=yes