Obfuscating passwords

You should obfuscate the SSL connector keystore password for greater security.

When adding the SslSelectChannelConnector, you must specify the keystore passwords in the configuration. Specifying the passwords as clear text is not recommended because they are not secure. Instead, you should obfuscate the passwords so that they are not easily read.

The Jetty package includes a password utility that can generate secure passwords. The utility comprises two JAR files:
  • jetty-http-8.0.1.v20110908.jar
  • jetty-util-8.0.1.v20110908.jar

Note that the version number (8.0.1.v20110908) will change if the Jetty package is upgraded to a later revision.

To produce an obfuscated password:

  1. From a command prompt, navigate to the Jetty lib directory.
  2. On Windows, Issue the following command on a single line: 
    java -cp jetty-http-8.0.1.v20110908.jar;jetty-util-8.0.1.v20110908.jar
org.eclipse.jetty.http.security.Password endeca
    Note there is a space between the second ".jar" and the "org." that starts the package name. Use your own password instead of the "endeca" example.
    On Linux, use a colon (:) instead of a semi-colon (;) to separate the two JAR names.
The output of the utility will look like this for the "endeca" password example: 
endeca
OBF:1sar1uh61svy1sw01ugk1saj
MD5:2a1ec2aefbd80e6043b394cb2314e9c6

The OBF output is the obfuscated version of the password, while the MD5 output is the checksummed version. You will be using the OBF version in the Jetty configuration file.