Where to put keystore password

I am sure this topic has been discussed.. but the forum search seems to be cactus at the moment so:
I have a keystore (java.security.KeyStore) into which I am putting encryption keys (as you would expect). I need to encrypt data because although it's on a server behind a firewall, it's pretty important info. I am securing the keystore with a password, but I now have a problem of what to do with the password. I can't store it in a database because I am using one of the keys from the keystore to encrypt the configuration file used to access the database (again, for security).
I realise that there will always be one weak point in the system, but I was wondering what the best-practice approach for storing keystore passwords was.
A couple of considerations:
1. I am in a web (tomcat) environment
2. I don't have (and don't want to have) an EJB layer
3. I can't leave it up to the user to enter, because I (the system) needs to encrypt/decrypt data without the user's intervention
4. I can't store it in the database as already mentioned
5. I can hard code the password(s) in compiled java code, but this can be decompiled and it means I can change them (easily)
Any ideas?

There are three key questions you have to answer before you can do "the right thing" for your environment in this context. The first is, "How much do you trust the physical security of your hardware?" The second is "How hard do you need to make life for would-be Bad Guys?" And the third is "How hard are you willing to make life for your sysadmins?"
Take #3, for example. If you're willing to make your admins miserable, or pay for 24x7 on-site coverage - don't write your ultimate key down anywhere, ever. When your system goes down, an admin has to restart it by re-entering the password/key info for unlocking all of your secrets. This approach chooses security over convenience in a very large way.
#2 and #1 are interrelated. If you trust your machine-security, you can make life hard for the Bad Guys even while leaving your startup password in the clear in your init scripts. If you don't trust your system too much, but you only care about deterring the "casual cracker," then you can do the same. If you want to make life REALLY hard for the Bad Guys, you can't leave the key available anywhere near your machine - even the specialized hardware approach can be defeated by a dedicated assault that has access to the machine. (At which point, you need to see #3 above).
In general, putting the key into your .class files is always the wrong answer. You can't change the password without recompiling, and everyone who uses the app is forced to have the same password, which is A Bad Thing. In addition, it's no more secure than having the pasword in a config-file that's protected to the same degree as the classfile itself. If the JVM can read the classfile, it can find and read a config file - and if a Bad Guy could find the plaintext config, he can find the classfile and extract the password nearly as easily.
In the vast majority of cases, keys in config files protected by the OS of the server machine will keep your system's secrets safe while allowing for "hands off" restarts. In the small number of instances where that's not sufficient, be prepared to pay a heavy price in hardware and convenience.
Grant

Similar Messages

  • I changed my iPhone lately but i can't restore my last backup since it keeps saying "itunes could not restore backup because the password was incorrect" but I don't know where to put the password to make it happen... Any suggestions?

    Hey guys,
    I just bought a new iPhone but i can't restore my backup files beacuse it keeps saying "itunes could not restore backup because the password was incorrect" but I really don't know where to put the password to restore it. I really have some files that are meaningful for me so I really need help. Any suggestions anyone?

    Select your iDevice in the iTunes.
    Choose the Summary screen (tab) and scroll to the bottom of the screen.
    Then un-select Encrypt iPhone backup.
    iTunes will then prompt you to “Enter the password to unlock your iPhone backup”, enter the password you set originally.

  • My computer screen keeps going blank and then going back to the box where I put my password in to start my comp. Why is this happening?

    My computer (Macbook) was working fine this am. I left it for an hour and then came back and the screen was black (always does that as the screensaver hardly ever works). I moved the mouse to wake it up and everything was normal. I went to adjust the volume and the screen went blank and the main page with the box where I put my password in when I first start my comp appeared. I put my password in and everything was normal again. I opened a window in Safari and before it loaded completely the same thing happened, the screen went blank and went back to the password box. Does anyone know why this is happening? I don't have an external hard drive or any blank flash drives so I can't back anything up right now and am afraid I'm going to lose everything. Thank you

    Sounds like hardware failure, called boot loop. Call Apple and or go on apple.com and make Genius Bar appointment to have your iphone reviewed by a Tech. Provided you iphone shows no physical or liquid damage they will take care of you, or if you have Apple Care Plus
    Genius Bar Rerservation :  http://www.apple.com/retail/geniusbar/

  • Hello there, am new here and very stressed, i have an Imac core i3 which is logging off itself after a few seconds of login, it goes back to the login menu where i put the password. I have tried to repair the os but my pioneer rom is not reading the disk.

    Hello there, am new here and very stressed, i have an Imac core i3 which is logging off itself after a few seconds of login, it goes back to the login menu where i put the password. I have tried to repair the os but my pioneer rom is not reading the disk. I press the :c" button on startup but its not picking up the disk in the rom, i have tried to put the disk in an external rom but same answer, am starting to think that my os disk is bad. Please help me.

    Please read this whole message before doing anything.
    This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
    The purpose of this exercise is to determine whether the problem is caused by third-party system modifications that load automatically at startup or login. Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode* and log in to the account with the problem. The instructions provided by Apple are as follows:
    Be sure your Mac is shut down.
    Press the power button.
    Immediately after you hear the startup tone, hold the Shift key. The Shift key should be held as soon as possible after the startup tone, but not before the tone.
    Release the Shift key when you see the gray Apple icon and the progress indicator (looks like a spinning gear).
    *Note: If FileVault is enabled under Mac OS X 10.7 or later, or if a firmware password is set, you can’t boot in safe mode.
    Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs.
    The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
    Test while in safe mode. Same problem(s)?
    After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of the test.

  • TS1702 i have an issues everytime i put my apple id and password to face time and imessage he said verifying and he goes back to where u should put ur password and wont check mark the mail and i create a new apple id the same what should i do ?

    i have an issues everytime i put my apple id and password to face time and imessage he said verifying and he goes back to where u should put ur password and wont check mark the mail and i create a new apple id the same what should i do ?

    i have an issues everytime i put my apple id and password to face time and imessage he said verifying and he goes back to where u should put ur password and wont check mark the mail and i create a new apple id the same what should i do ?

  • JSP--where to put my client keystore?

    I have my webservice working. I also have my java client working. Now i'm trying
    to create a web client using JSP to access the web service. This will need the
    message-based security. The java client works fine because I can specify the directory
    of the keystore. But I don't know where to put the keystore in my JSP client.
    Anybody has some suggestions? BTW i'm using tomcat 4.1.
    many thanks.

    Hi,
    Here's a pointer to the doc on how to setup a keystore using WLS 8.1
    http://e-docs.bea.com/wls/docs81/webserv/security.html
    For Tomcat, I don't know...
    Bruce
    BTW, you might take a quick look at this, it may be of some value.
    http://dev2dev.bea.com/resourcelibrary/whitepapers/whitepaper_tomcat_migration.jsp
    Yan wrote:
    >
    I have my webservice working. I also have my java client working. Now i'm trying
    to create a web client using JSP to access the web service. This will need the
    message-based security. The java client works fine because I can specify the directory
    of the keystore. But I don't know where to put the keystore in my JSP client.
    Anybody has some suggestions? BTW i'm using tomcat 4.1.
    many thanks.

  • I put more wrong passcodes and then write "Iphone is disabled | Connect to iTunes". When i connect to iTunes, appear a error where write that I can't connect iPhone to iTunes because must to put a password on iPhone . HEEEEELP !

    I put more wrong passcodes and then write "Iphone is disabled | Connect to iTunes". When i connect to iTunes, appear a error where write that I can't connect iPhone to iTunes because must to put a password on iPhone ( but I can't connect iPhone to iTunes because is blocked) HELP me PLEASE ! And give you more details if you want .
    Sorry for my english but I am from Romania and I don't know very good .

    Forgot an iPhone Passcode? How to reset the iPhone passcode
    iPhone and iPod touch- Wrong passcode results in red disabled screen
    Please get the iPhone iOS 4 user guide.

  • SSL and keystore password

    I am creating a server and using JSSE. All the examples I see pass the Keystore and Keystore password as a java enviromnent variable when starting the server. Does this seem a little unsecure to pass the password on the command line? Is there any other way to pass the keystore password?

    I am creating a server and using JSSE. All the
    examples I see pass the Keystore and Keystore password
    as a java enviromnent variable when starting the
    server. Does this seem a little unsecure to pass the
    password on the command line? Is there any other way
    to pass the keystore password?Think hard on this one - what "more secure way" are you going to use? Sooner or later, somebody who knows has to give the code a password to use.
    Most of the systems I've seen haven't even required it on the command line - it's been written down in a script or .properties file, so the app can start/restart without human intervention. The files containing the passwords are protected by whatever the host OS uses to keep files private (e.g., owned by root, owner-read-only perms on Unix).
    No matter how much encryption you put in place, at the bottom of the chain there's a plain-text password entered SOMEwhere...
    Grant

  • Im new to this and need help with putting a password on my wireless

    I've had my linksys router for a few years now and recently have been asked to secure it so no one else in the neighborhood can connect to it but me but Ive never known how and I cannot find the installation CD for it.  I have a model number# WRT54G.  I tried searchin the forums but couldn't seem to find one I could understand.  If anyone could please offer me some help on how to simply put a password on it so just my computer and the others in the house can access the wifi thatd be great.  Thanks

    To set up wireless security, you must use a computer that is wired to the router.
    Where to find the router settings: The router's login password is usually on one of the "Administration" pages. The other settings are all found in the "Wireless" or "Wireless Security" section of the router's setup pages, located at 192.168.1.1
    First, give your router a unique SSID. Don't use "linksys".
    Make sure "SSID Broadcast" is set to "enabled".
    Next, leave the router at its default settings (except for the unique SSID), and then use your pc to connect wirelessly to the router. Test your wireless Internet connection and make sure it is working correctly. You must have a properly working wireless connection before setting up wireless security.
    To implement wireless security, you need to do one step at a time, then verify that you can still connect your wireless computer to the router.
    Next, encrypt your wireless system using the highest level of encryption that all of your wireless devices will support. Common encryption methods are:
    WEP - poor (see note below)
    WPA (sometimes called PSK, or WPA with TKIP) - good
    WPA2 (sometimes called PSK2, or WPA with AES) - best
    WPA and WPA2 sometimes come in versions of "personal" and "enterprise". Most home users should use "personal". Also, if you have a choice between AES and TKIP, and your wireless equipment is capable of both, choose AES. With any encryption method, you will need to supply a key (sometimes called a "password" ).
    The wireless devices (computers, printers, etc.) that you have will need to be set up with the SSID, encryption method, and key that matches what you entered in the router.
    Retest your system and verify that your wireless Internet connection is still working correctly.
    And don't forget to give your router a new login password.
    Picking Passwords (keys): You should never use a dictionary word as a password. If you use a dictionary word as a password, even WPA2 can be cracked in a few minutes. When you pick your login password and encryption key (or password or passphrase) you should use a random combination of capital letters, small letters, and numbers, but no spaces. A login password, should be 12 characters or more. WPA and WPA2 passwords should be at least 24 characters. Note: Your key, password, or passphrase must not have any spaces in it.
    Most home users should have their routers set so that "remote management" of the router is disabled. If you must have this option enabled, then your login password must be increased to a minumum of 24 random characters.
    One additional issue is that Windows XP requires a patch to run WPA2.   The patch is located in SP3, so you will need SP3 to run WPA2. 
    Note:
    WEP is no longer recommended. The FBI has demonstrated that WEP can be cracked in just a few minutes using software tools that are readily available over the Internet. Even a long random character password will not protect you with WEP. You should be using WPA or preferably WPA2 encryption.

  • I am wanting to publish a website created in iweb via a third party web host. How do I put a password for anyone wishing to visit the mysite?

    I am wanting to publish a website created in iweb via a third party web host. How do I put a password for anyone wishing to visit the mysite?

    You create the usernames and passwords where you host your website. Made with or without iWeb.
    Usually it's done in the controlpanel where you manage your account.
    If you cannot do it there, you'll have to do it yourself. See this post :
    https://discussions.apple.com/message/16014940#16014940
    And what is the purpose of password protection for ANYONE who vistis your site?

  • App Server 9.1 -  Where is the keystore.jks

    Hi there
    Been fiddling with this problem for a bit now.
    I have installed the EE version of 9.1 and on the domain1, when I try to use the SSL listener it tells me that the certificate isn't valid. So, I went to the HTTP listener configured with security and noticed that the name of the certificate in use is called "s1as" . So far so good.
    Now I want to add my own certificate ( a valid one, issues by a propa issuer and such ) into the keystore and change the alias name to use that one instead.
    So .... where is the keystore.jks file that all the documentation is talking about ? Since the app server is already using a certificate ( with alias s1as ) I think it as got to be stored somewhere... but i just can't seam to find it.
    This is what I got inside the config folder for the domain :
    [root@server config]# pwd
    /opt/SUNWappserver/domains/domain1/config
    [root@server config]#
    [root@server config]# ls -isa
    total 440
    492179 4 . 492339 4 default-config 492215 132 key3.db 492208 4 sun-acc.xml
    492178 4 .. 492210 36 default-web.xml 492207 4 keyfile 492392 4 .synchronize
    492205 4 admch 492393 0 derby.log 492211 4 login.conf 492387 0 .upgradedTo91
    492206 4 admin-keyfile 492217 4 domain-passwords 492216 16 secmod.db 492213 8 wss-server-config-1.0.xml
    492394 4 admsn 492388 4 domain-registry 492396 4 secure.seed 492212 8 wss-server-config-2.0.xml
    492214 132 cert8.db 492389 4 .domain-registry.system 492399 0 server.csr
    492395 4 .__com_sun_appserv_pid 492202 40 domain.xml 492397 8 server.policy
    find / -name keystore.jks
    [root@server config]#
    Any thoughs ?
    Thx
    Rp

    ok ok ok
    got it, using NSS .
    http://docs.sun.com/app/docs/doc/819-3671/ablnk?a=view

  • I wanted to know explain my problem down package cc2014 where I put the serial number of the problem that I have is that when you open the program asks me start of session in which he put it and go but back inside and it drives me to request the start of

    I wanted to know explain my problem down package cc2014 where I put the serial number of the problem that I have is that when you open the program asks me start of session in which he put it and go but back inside and it drives me to request the start of session and I take 3 weeks or more with this problem if they can support me solve it was the number of seire wearing this being installed at a private university

    Cloud programs do not use serial numbers... you log in to your paid Cloud account to download & install & activate... you MAY need to log out of the Cloud and restart your computer and log back in to the Cloud for things to work
    Some general information for a Cloud subscription
    Log out of your Cloud account... Restart your computer... Log in to your paid Cloud account
    -Sign in help http://helpx.adobe.com/x-productkb/policy-pricing/account-password-sign-faq.html
    -http://helpx.adobe.com/creative-cloud/kb/sign-in-out-creative-cloud-desktop-app.html
    -http://helpx.adobe.com/x-productkb/policy-pricing/activation-network-issues.html
    -http://helpx.adobe.com/creative-suite/kb/trial--1-launch.html
    Does your Cloud subscription properly show on your account page?
    If you have more than one email, are you sure you are using the correct Adobe ID?
    https://www.adobe.com/account.html for subscriptions on your Adobe page

  • Hi I am having trouble with wifi my OSX version is 10.8.4 and I can't connect iv put the password in and it' keeps coming up with a exclamation mark in wifi symbol I can't get my computer to delete the network or forget it??

    Hi I have a mac book pro OSX 10.8.4 iv connected to a wifi point where I am staying and iv selected network and put in password and over the wifi symbol a exclamation mark appears the wifi works perfectly on my iPhone but won't with my MacBook iv turned it off and on iv tried to forget/delete the network but it won't let me? Is there anything I can do I really need it cause I'm travelling and need to book things. Thanks

    Information.
    Wireless Connection Problems - Fix
    Wireless Connection Problems - Fix (2)
    Wireless Connection Problems - Fix (3)
    Wireless Connection Problems - Fix (4)
    Wireless Diagnostics - About

  • Put my password in and nothing happens same screen

    recently i am having the weirdest of things happen with my mac desktop.  i put my password in and the screen goes to the next screen like it normally always did, but then it takes me right back to the sign on screen where my password is being prompted.  strange. 
    i have tried everything I know to do including the command plus option plus r plus p at the same time, and that did nothing.   so i don't know what to do, the store i thought of but there is the store genius manager person at the beverly center that is disgustingly rude AND so inappropriate, i swore i would never darken their doors again.   i hate to go back there, she is the one that probably caused this very thing.  please help.

    Please read this whole message before doing anything.
    This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
    The purpose of the test is to determine whether the problem is caused by third-party software that loads automatically at startup or login. 
    Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode* and log in to the account with the problem. The instructions provided by Apple are as follows:
    Shut down your computer, wait 30 seconds, and then hold down the shift key while pressing the power button.
    When you see the gray Apple logo, release the shift key.
    If you are prompted to log in, type your password, and then hold down the shift key again as you click  Log in.
    *Note: If FileVault is enabled under OS X 10.7 or later, or if a firmware password is set, or if the boot volume is a software RAID, you can’t boot in safe mode. Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs. The next normal boot may also be somewhat slow.
    The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin. Test while in safe mode. Same problem? After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of the test.

  • TS2446 My phone want let me download apps I put the password in then it's say billing options which tell me I have invalid security code

    My phone want let me download any apps when I put the password in it take me to billing option which tell me I have the wrong security code and that's the security code that was on the card on the account

    iTunes Store: My credit card's security code or zip code does not match my bank's records
    http://support.apple.com/kb/TS1646

Maybe you are looking for

  • How do I use the french version of pages?

    I bought pages from the app store.  I was downloaded in english.  how do i use the french version?

  • My new Ipod touch died

    I got an ipod touch last week, and everything was fine, today suddenly a black screen with the apple logo appear and since that moment I can't listen to any music and my computer can't find my ipod with my usb cable, I waited to the battery get low,a

  • Operations from PCR in simple english.

    NUM= BWGRL NUM= PLANS NUM?0 ZERO= N GCY X112 ADDWT above are some of the operations from PCR  X012 Calculate valuation bases for alternative payment as we know, there is a logical meaning for all the operations listed above however there must be a si

  • Integration of LSMW & ETL tool

    Hi All, How does LSMW and Ascential Data stage work together? Can you tell me something @ Asential datastage and send some material from where i can learn @ this. Thanks, Megha

  • IDOC FM Error: GETWA_NOT_ASSIGNED

    Hello everyone, FILE > XI > IDOC I have a scenario where I copy a function module (IDOC_INPUT_ORDERS to ZIDOC_INPUT_ORDERS) and make changes to the code to enhance the program. I get an error 'GETWA_NOT_ASSIGNED' 'Field symbol has not yet been assign