SSL System Properties - Security Risk???

Question

This is probably a stupid question, but how much of a security risk is it to set my web server ssl configuration (e.g. keystore password) via System.setProperty...

If I did something like:

System.setProperty("javax.net.keyStorePassword", "password");

1. Is that likely to cause a security problem?
2. Is there a way to safeguard against that risk while still setting the property?
3. How would someone go about compromising that?

Note: Just to add a little more specifics, This is a web app running on Tomcat 6 in Red Hat.

Answer 1

How much of a risk this is depends on the environment in which your code runs and on who you are trying to protect against. If an attacker has access to the platform itself or can somehow inject code into your platform, then setting properties this way is the least of your troubles.

As long as your platform is secure against attackers being able to run arbitrary code in your environment, you should be pretty safe.