We have a Java web application running on JBoss and Linux. Production environment database connection parameters come from a configuration file that only exists on the production environment app servers. That config file is only readable by the user ID that also runs the application, (let's call that user appuser) and the only people who can log into production environment servers and sudo to appuser are members of our Operations team. The production environment itself is firewalled off from all other environments.

We would like to make this more secure. Specifically we would like to prevent the operations team from reading the database connection password and other keys that are currently in the configuration file.

Another factor to keep in mind is that the operations team is responsible for building and deploying the application.

What are our options? The solution needs to support manually restarting the application as well as automatically starting the application if the OS reboots.

Update

The solution I am investigating now (tip to Adamski for his suggestion, which roughly translates into step 1):

1. Write a wrapper executable that is setuid to a user that starts/stops the applications and owns the configuration files and everything in the JBoss directory tree.

2. Use jarsigner to sign the WAR after it is built. The building of the WAR will be done by development. The setuid wrapper will verify the signature, validating that the WAR has not been tampered with.

3. Change the deployment process to only deploy the signed WAR. The setuid wrapper can also move the WAR into place in the JBoss deploy directory.

Why not just create a second user for the Operations team to sudo to, which only has a subset of file permissions compared with your application's user ID?

No code changes necessary; nice and simple.

You might find it interesting to see how the Jetty folks have approached this problem:

http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords

This at least ensures that you cannot just read the password directly but need to some serious effort to get a humanly readable version.

If the Jetty license is compatible with what you want to do, you can just lift their code.

The easy way is to use Unix permissions to control who can read these files. However, sensitive data like passwords should never be stored in plain. There are a few alternatives. They require some effort but, that's an approach followed by most commercial products.

Store the passwords encrypted on file system. You can use either Java cryptography or XML encryption to do so.

OR

Store sensitive information such as passwords in a database along with other configuration details and encrypt it using database tools. You will still need to store database password somewhere on the file system. Oracle provides a wallet to store the password. There are some third party wallets as well that can do this, if your database vendor does not provide one.