Environment variables for password

[gstaware]

As of now, we are specifying plain passwords in bridge configuration file for keystore and truststore as below

io.nats.client.tls.keystore.password: password io.nats.client.tls.truststore.password: password

This is causing security issues hence we need support for environment variables something like below.

io.nats.client.tls.keystore.env_var.base64password: KEYSTORE_PASSWORD io.nats.client.tls.truststore.env_var.base64password: TRUSTSTORE_PASSWORD

In this bridge will read above environment variable, decode base64 encoded value and use the same for loading keystore/truststore.

This needs to be done for TLS set up with MQ server as well wherein we are using system properties as below,

systemProperties: com.ibm.mq.cfg.useIBMCipherMappings: false javax.net.ssl.keyStore: "/home/vcap/keystore.jks" javax.net.ssl.keyStorePassword: "password" javax.net.ssl.trustStore: "/home/vcap/truststore.jks" javax.net.ssl.trustStorePassword: "password"

We don’t want to keep any plain passwords in bridge configuration file hence the concern. Please check this on priority and let us know for any concerns.

[ColinSullivan1]

@gstaware , Thank you for raising this issue. These are all properties - you should be able to provide property values to the JVM through the environment - process, container, etc. which is where you could use environment variables.

e.g. -Djavax.net.ssl.keyStorePassword=$KEYSTORE_PASSWORD -Djavax.net.ssl.trustStorePassword=$TRUSTSTORE_PASSWORD

Could you give this a try?

[gstaware]

Agreed, we can provide system properties to JVM but we will be needing code changes for reading env vars for base 64 encoded passwords, can we work on that please? I am talking about first section of the comment.