[LOG4J2-2054] Provide ways to configure SSL that avoid plain-text passwords in the log4j configuration - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.9.1
Fix Version/s: 2.10.0
Component/s: Appenders
Labels:
None

Description

Following up on ~~LOG4J2-1896~~, currently SecureSocketAppender can only be configured by specifying the passwords to the trust store and the key store in plain text in the log4j 2 configuration file.

Provide alternative configurations that obtain the password from different sources, for example:

system environment variable
file

Example configuration:

  <Appenders>
    <Socket name="socket" host="localhost" port="${sys:SecureSocketAppenderSocketOptionsTest.port}" protocol="SSL"
      ignoreExceptions="false">
      <JsonLayout properties="true"/>
      <Ssl>
        <KeyStore location="src/test/resources/org/apache/logging/log4j/core/net/ssl/client.log4j2-keystore.jks"
          passwordEnvironmentVariable="KEYSTORE_PASSWORD" type="JKS" />
        <TrustStore location="src/test/resources/org/apache/logging/log4j/core/net/ssl/truststore.jks"
          passwordFile="${sys:user.home}/truststore.pwd" type="JKS" />
      </Ssl>
    </Socket>
  </Appenders>

Attachments

Issue Links

is related to

LOG4J2-2059 Refactor classes in core.net.ssl to allow non-KeyStore Providers

Open

relates to

LOG4J2-1896 Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String to char[] for passwords

Resolved

Activity

People

Assignee:: Remko Popma

Reporter:: Remko Popma

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 23/Sep/17 16:22

Updated:: 27/Sep/17 00:04

Resolved:: 25/Sep/17 16:01