Storing keystore and private key passwords as plain text poses a security risk so Advanced Message Security provides a tool that can scramble those passwords using a user's key, which is available in the keystore file.
Before you begin
The keystore.conf file owner must ensure
that only the file owner is entitled to read the file. The passwords
protection described in this chapter is only an additional measure
of protection.
Procedure
-
Edit the keystore.conf files to include path to the keystore and users label.
jceks.keystore = c:/Documents and Setting/Alice/AliceKeystore
jceks.certificate = AliceCert
jceks.provider = IBMJCE
-
To run the tool, issue:
java -cp com.ibm.mq.jmqi.jar com.ibm.mq.ese.config.KeyStoreConfigProtector keystore_password private_key_password
An output with encrypted passwords is generated and can be copied to the
keystore.conf file.
To copy the output to the
keystore.conf file automatically, run:
java -cp com.ibm.mq.jmqi.jar com.ibm.mq.ese.config.KeyStoreConfigProtector keystore_password private_key_password >> ~/path_to_keystore/keystore.conf
Example
Here is an example of such output:
#Fri Jul 30 15:20:29 CEST 2010
jceks.key_pass=MMXh997n5ZOr8uRlJmc5qity9MN2CggGBMKCDxdbn1AyPklvdgTsOLG6X3C1YT7oDzwaqZFlOR4t\r\nmZsc7JGAx8nqqxLnAucdGn0NWo6xnjZB1n501YGol2k/PhaQHhFXKMAU9dKg0f8djOtCAOlX4ETe\r\nfYl9LBUt2wk87uM7dSs\=
jceks.keystore_pass=OIdeayBnSCfLG4cFuxEVrk6SYyAsdSPpDqgPf16s9s1M04cqZjNbhgjoA2EXonudHZHH+4s2drvQ\r\nCUvQgu9GuaBMJK2F2OjtHJJ1Y4BVeLW2c2okgawo/W2J1AdUYKkJ0raYTkDouLaTYTQeulyG0xIl\r\niD2si1xUCxhYvvyhbbY\=
jceks.encrypted=yes