You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Goel, Amithkumar" <am...@sap.com.INVALID> on 2022/01/18 13:58:01 UTC
Need information on broker instance creation w.r.t security issue in sysmon.
Hi,
I am not sure if this is the right mailing list for posting technical query related to ActiveMq Artemis. Kindly help me out if this is the wrong mailing address.
I am using the Artemis active Mq and creating the Broker instance via below command:
artemis.cmd create --user "Administrator" --password "Password1" --role admin --allow-anonymous y "E:\mybroker"
We have a Sysmon (https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) enabled and above command gets register in the log file which stores the password as well which is a security concern.
Is there any way to create a broker by not passing password as a command line argument? maybe get it from some environment variable.
Also, I don’t want to store the password information in any file (like config file or any text file)
Thanks in advance.
Regards,
Amith Goel.
Re: Need information on broker instance creation w.r.t security issue in sysmon.
Posted by "Goel, Amithkumar" <am...@sap.com.INVALID>.
Hi Justin,
Thanks for answering my query even though I have posted in wrong mailing list. I'll keep in mind the next time the right mailing list to post any query in future.
I think storing password in environment variable and then using it will solve my problem.
Thanks once again for your help and quick response.
Regards,
Amith Goel.
On 18/01/22, 8:24 PM, "Justin Bertram" <jb...@apache.org> wrote:
Generally speaking the dev list (i.e. this list) is for folks working
directly on an ActiveMQ code-base. Questions like yours about broker usage
would typically go to the "users" list. This is noted on the website [1]
which says:
> We have two main mailing lists - the users list and the dev list. Choose
the right list based on whether you’re deploying or using ActiveMQ or
you’re a developer working directly on one of the ActiveMQ code-bases.
That said, I'll go ahead and try to answer your question...
If you omit "--password" from the "create" command you will be asked to
enter the password interactively. When you enter the password this way it
won't be echoed on the screen and therefore won't be logged.
Another option would be to set the password value in your own environment
variable and use that variable in your command instead of "Password1".
As for not storing the password in any text file I don't think that's
possible with any supported configuration. You could manually configure the
broker to use LDAP instead of properties files for the user credentials,
but even then you'd have the LDAP password in etc/login.config. It's worth
noting that user passwords in artemis-users.properties are hashed by
default and therefore fairly secure.
Justin
[1] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fcontact&data=04%7C01%7Camithkumar.goel%40sap.com%7C41eee36b9b2f4eb3945308d9da927e02%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C637781144981410518%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=EZVXFTi1A5GfPHX4bPkdWwdCwzV8aOSovKfb57hYU5g%3D&reserved=0
On Tue, Jan 18, 2022 at 8:05 AM Goel, Amithkumar
<am...@sap.com.invalid> wrote:
> Hi,
>
> I am not sure if this is the right mailing list for posting technical
> query related to ActiveMq Artemis. Kindly help me out if this is the wrong
> mailing address.
> I am using the Artemis active Mq and creating the Broker instance via
> below command:
>
> artemis.cmd create --user "Administrator" --password "Password1" --role
> admin --allow-anonymous y "E:\mybroker"
>
> We have a Sysmon (
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fsysmon&data=04%7C01%7Camithkumar.goel%40sap.com%7C41eee36b9b2f4eb3945308d9da927e02%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C637781144981410518%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=QqWjI9x3alSPXlOw%2FmqaeaNOBv56%2Fpmh24EvFIJHL0U%3D&reserved=0) enabled
> and above command gets register in the log file which stores the password
> as well which is a security concern.
>
> Is there any way to create a broker by not passing password as a command
> line argument? maybe get it from some environment variable.
> Also, I don’t want to store the password information in any file (like
> config file or any text file)
>
> Thanks in advance.
>
> Regards,
> Amith Goel.
>
Re: Need information on broker instance creation w.r.t security issue in sysmon.
Posted by Justin Bertram <jb...@apache.org>.
Generally speaking the dev list (i.e. this list) is for folks working
directly on an ActiveMQ code-base. Questions like yours about broker usage
would typically go to the "users" list. This is noted on the website [1]
which says:
> We have two main mailing lists - the users list and the dev list. Choose
the right list based on whether you’re deploying or using ActiveMQ or
you’re a developer working directly on one of the ActiveMQ code-bases.
That said, I'll go ahead and try to answer your question...
If you omit "--password" from the "create" command you will be asked to
enter the password interactively. When you enter the password this way it
won't be echoed on the screen and therefore won't be logged.
Another option would be to set the password value in your own environment
variable and use that variable in your command instead of "Password1".
As for not storing the password in any text file I don't think that's
possible with any supported configuration. You could manually configure the
broker to use LDAP instead of properties files for the user credentials,
but even then you'd have the LDAP password in etc/login.config. It's worth
noting that user passwords in artemis-users.properties are hashed by
default and therefore fairly secure.
Justin
[1] https://activemq.apache.org/contact
On Tue, Jan 18, 2022 at 8:05 AM Goel, Amithkumar
<am...@sap.com.invalid> wrote:
> Hi,
>
> I am not sure if this is the right mailing list for posting technical
> query related to ActiveMq Artemis. Kindly help me out if this is the wrong
> mailing address.
> I am using the Artemis active Mq and creating the Broker instance via
> below command:
>
> artemis.cmd create --user "Administrator" --password "Password1" --role
> admin --allow-anonymous y "E:\mybroker"
>
> We have a Sysmon (
> https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) enabled
> and above command gets register in the log file which stores the password
> as well which is a security concern.
>
> Is there any way to create a broker by not passing password as a command
> line argument? maybe get it from some environment variable.
> Also, I don’t want to store the password information in any file (like
> config file or any text file)
>
> Thanks in advance.
>
> Regards,
> Amith Goel.
>