We have a Java web application running on JBoss and Linux. Production environment database connection parameters come from a configuration file that only exists on the production environment app servers. That config file is only readable by the user ID that also runs the application, (let’s call that user appuser) and the only people who can log into production environment servers and sudo to appuser are members of our Operations team. The production environment itself is firewalled off from all other environments.

We would like to make this more secure. Specifically we would like to prevent the operations team from reading the database connection password and other keys that are currently in the configuration file.

Another factor to keep in mind is that the operations team is responsible for building and deploying the application.

What are our options? The solution needs to support manually restarting the application as well as automatically starting the application if the OS reboots.

Update

The solution I am investigating now (tip to Adamski for his suggestion, which roughly translates into step 1):

1. Write a wrapper executable that is setuid to a user that starts/stops the applications and owns the configuration files and everything in the JBoss directory tree.

2. Use jarsigner to sign the WAR after it is built. The building of the WAR will be done by development. The setuid wrapper will verify the signature, validating that the WAR has not been tampered with.

3. Change the deployment process to only deploy the signed WAR. The setuid wrapper can also move the WAR into place in the JBoss deploy directory.