Added secure settings for ssl related passwords:

src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java

@@ -83,6 +83,9 @@
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class LDAPAuthorizationBackend implements AuthorizationBackend {
 
     private static final AtomicInteger CONNECTION_COUNTER = new AtomicInteger();
@@ -566,8 +569,7 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
                 final KeyStore trustStore = PemKeyReader.loadKeyStore(
                         PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
                                 configPath, !trustAll),
-                        settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
-                                SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+                        SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
                         settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
 
                 final List<String> trustStoreAliases = settings.getAsList(ConfigConstants.LDAPS_JKS_TRUST_ALIAS, null);
@@ -576,12 +578,11 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
                 final KeyStore keyStore = PemKeyReader.loadKeyStore(
                         PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
                                 configPath, enableClientAuth),
-                        settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+                        SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
                                 SSLConfigConstants.DEFAULT_STORE_PASSWORD),
                         settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
-                final String keyStorePassword = settings.get(
-                        SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
-                        SSLConfigConstants.DEFAULT_STORE_PASSWORD);
+                final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD
+                        .getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
 
                 final String keyStoreAlias = settings.get(ConfigConstants.LDAPS_JKS_CERT_ALIAS, null);
                 final String[] keyStoreAliases = keyStoreAlias == null ? null : new String[] { keyStoreAlias };

src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java

@@ -48,6 +48,9 @@
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class SettingsBasedSSLConfigurator {
     private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);
 
@@ -305,8 +308,7 @@ private void initFromKeyStore() throws SSLConfigException {
             trustStore = PemKeyReader.loadKeyStore(
                     PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
                             configPath, !isTrustAllEnabled()),
-                    settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
-                            SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+                    SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
                     settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
         } catch (Exception e) {
             throw new SSLConfigException("Error loading trust store from "
@@ -321,15 +323,15 @@ private void initFromKeyStore() throws SSLConfigException {
             keyStore = PemKeyReader.loadKeyStore(
                     PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
                             configPath, enableSslClientAuth),
-                    settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+                    SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
                             SSLConfigConstants.DEFAULT_STORE_PASSWORD),
                     settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
         } catch (Exception e) {
             throw new SSLConfigException("Error loading key store from "
                     + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e);
         }
 
-        String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+        String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
                 SSLConfigConstants.DEFAULT_STORE_PASSWORD);
         effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null
                 : keyStorePassword.toCharArray();

src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java

@@ -49,6 +49,9 @@
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class SettingsBasedSSLConfiguratorV4 {
     private static final Logger log = LogManager.getLogger(SettingsBasedSSLConfigurator.class);
 
@@ -306,8 +309,7 @@ private void initFromKeyStore() throws SSLConfigException {
             trustStore = PemKeyReader.loadKeyStore(
                     PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
                             configPath, !isTrustAllEnabled()),
-                    settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
-                            SSLConfigConstants.DEFAULT_STORE_PASSWORD),
+                    SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings),
                     settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
         } catch (Exception e) {
             throw new SSLConfigException("Error loading trust store from "
@@ -322,16 +324,16 @@ private void initFromKeyStore() throws SSLConfigException {
             keyStore = PemKeyReader.loadKeyStore(
                     PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
                             configPath, enableSslClientAuth),
-                    settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
+                    SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings,
                             SSLConfigConstants.DEFAULT_STORE_PASSWORD),
                     settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
         } catch (Exception e) {
             throw new SSLConfigException("Error loading key store from "
                     + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e);
         }
 
-        String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
-                SSLConfigConstants.DEFAULT_STORE_PASSWORD);
+        String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD
+                .getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
         effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null
                 : keyStorePassword.toCharArray();
         effectiveKeyAlias = getSetting(CERT_ALIAS);

src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java

@@ -31,6 +31,9 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD;
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public final class ExternalOpenSearchSink extends AuditLogSink {
 
     private static final List<String> DEFAULT_TLS_PROTOCOLS = Arrays.asList(new String[] { "TLSv1.2", "TLSv1.1"});
@@ -117,14 +120,14 @@ public ExternalOpenSearchSink(final String name, final Settings settings, final
 
             } else {
                 final KeyStore trustStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, true)
-                        , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
+                        , SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings)
                         , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
 
                 //for client authentication
                 final KeyStore keyStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings, configPath, enableSslClientAuth)
-                        , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
+                        , SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
                         , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
-                final String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
+                final String keyStorePassword = SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
                 effectiveKeyPassword = keyStorePassword==null||keyStorePassword.isEmpty()?null:keyStorePassword.toCharArray();
                 effectiveKeyAlias = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, null);
 

src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java

@@ -50,6 +50,8 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.PemKeyReader;
 
+import static org.opensearch.security.ssl.SecureSSLSettings.SSLSetting.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD;
+
 public class WebhookSink extends AuditLogSink {
 
 	/* HttpClient is thread safe */
@@ -328,7 +330,7 @@ public KeyStore run() {
 
 					} else {
 					    return PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, false)
-			                    , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD)
+			                    , SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(settings)
 			                    , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
 					}
 				} catch(Exception ex) {