You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/09/30 15:14:00 UTC

[jira] [Work logged] (ARTEMIS-3488) Create env variable AMQ_PASSWORD_CODEC_INIT_KEY

     [ https://issues.apache.org/jira/browse/ARTEMIS-3488?focusedWorklogId=658425&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-658425 ]

ASF GitHub Bot logged work on ARTEMIS-3488:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 30/Sep/21 15:13
            Start Date: 30/Sep/21 15:13
    Worklog Time Spent: 10m 
      Work Description: jbertram closed pull request #3767:
URL: https://github.com/apache/activemq-artemis/pull/3767


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@activemq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 658425)
    Time Spent: 20m  (was: 10m)

> Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
> -----------------------------------------------
>
>                 Key: ARTEMIS-3488
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
>             Project: ActiveMQ Artemis
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 2.18.0
>            Reporter: Valeriy Ak
>            Priority: Major
>              Labels: password, security
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Currently all passwords could be masked in broker.xml, bootstap.xml
> However for simmetric password used BlowfishAlgorithm it use default internalKey= *clusterpassword* (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
>  
> Also DefaultSensitiveStringCodec (release has only this implementation) has option to change initKey, but it looks too silly:
> broker.xml
> {code:java}
> <configuration>
>     <core xmlns="urn:activemq:core">
>     <mask-password>true</mask-password> 
>     <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
>     <acceptors>
>         <acceptor name="artemis">
>             tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
>         </acceptor>
>     </acceptors>
> </core>
> </configuration>
>  {code}
> bootstrap.xml
> {code:java}
> <broker xmlns="http://activemq.org/schema">
>     <web bind="https://0.0.0.0:8161" path="web"
>          keyStorePath="/var/run/stores/keystore/keystore.jks"
>          passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
>          keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
>      </web>
> </broker> {code}
>  
> So .. it just added another step for a hacker to get all passwords. 
>  For examle - it easy to decrypt all passwords uses tool like - 
>  [http://blowfish.online-domain-tools.com/])
>  
> What need to do:
>  # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD)
>  # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey by default. If key passed - use it
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)