John,
Not secure at all, nor is it intended to be.
The issue is that if the server is to be started automatically without the need to enter a passphrase, then encryption cannot be used since the server needs to provide the keystore passwords at runtime. OBF is simply a way to put the pass phrases into a configuration file so that a casual observer looking over your shoulder cannot easily remember the configured passwords. MD5 cannot be used at all in this situation (it is provided for checking things like BASIC authentication where a credential is sent over "the wire" but we want to avoid storing such credentials on the server, so we check the MD5 of the provided credential with the stored MD5).
BCrypt would not help, as it requires a passphrase. If we put that passphrase in a config file, then it's just the same problem... how to protect the passphrase needed to recover the password needed to recover the private key ....
Ultimately if a server is to start automatically, without human intervention, then you need to rely on the OS security to keep a configuration file secure.
cheers