You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2021/09/20 20:37:00 UTC

[jira] [Resolved] (ARTEMIS-3488) Create env variable AMQ_PASSWORD_CODEC_INIT_KEY

     [ https://issues.apache.org/jira/browse/ARTEMIS-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Justin Bertram resolved ARTEMIS-3488.
-------------------------------------
    Resolution: Won't Do

> Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
> -----------------------------------------------
>
>                 Key: ARTEMIS-3488
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
>             Project: ActiveMQ Artemis
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 2.18.0
>            Reporter: Valeriy Ak
>            Priority: Major
>              Labels: password, security
>
> Currently all passwords could be masked in broker.xml, bootstap.xml
> However for simmetric password used BlowfishAlgorithm it use default internalKey= *clusterpassword* (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
>  
> Also DefaultSensitiveStringCodec (release has only this implementation) has option to change initKey, but it looks too silly:
> broker.xml
> {code:java}
> <configuration>
>     <core xmlns="urn:activemq:core">
>     <mask-password>true</mask-password> 
>     <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
>     <acceptors>
>         <acceptor name="artemis">
>             tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
>         </acceptor>
>     </acceptors>
> </core>
> </configuration>
>  {code}
> bootstrap.xml
> {code:java}
> <broker xmlns="http://activemq.org/schema">
>     <web bind="https://0.0.0.0:8161" path="web"
>          keyStorePath="/var/run/stores/keystore/keystore.jks"
>          passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
>          keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
>      </web>
> </broker> {code}
>  
> So .. it just added another step for a hacker to get all passwords. 
>  For examle - it easy to decrypt all passwords uses tool like - 
>  [http://blowfish.online-domain-tools.com/])
>  
> What need to do:
>  # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD)
>  # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey by default. If key passed - use it
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)