You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2021/09/20 20:36:00 UTC
[jira] [Comment Edited] (ARTEMIS-3488) Create env variable
AMQ_PASSWORD_CODEC_INIT_KEY
[ https://issues.apache.org/jira/browse/ARTEMIS-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17417806#comment-17417806 ]
Justin Bertram edited comment on ARTEMIS-3488 at 9/20/21, 8:35 PM:
-------------------------------------------------------------------
If you want to set a system property named {{AMQ_PASSWORD_CODEC_INIT_KEY}} and then use that value in your broker configuration then you can _already_ do that via system property substitution. For example, you can add a line like this in {{etc/artemis.profile}} to define the system property with your chosen key value:
{noformat}
JAVA_ARGS="$JAVA_ARGS -DAMQ_PASSWORD_CODEC_INIT_KEY=changeit"{noformat}
And then use that property in {{bootstrap.xml}}:
{code:xml}
<broker xmlns="http://activemq.org/schema">
<web bind="https://0.0.0.0:8161" path="web"
keyStorePath="/var/run/stores/keystore/keystore.jks"
passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=${AMQ_PASSWORD_CODEC_INIT_KEY}"
keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
</web>
</broker>{code}
You could even use an environment variable for the value of the key in {{artemis.profile}} instead so that it's not actually in text file.
However, in either case I don't believe you're significantly increasing the security of your system. These configuration files should be secured with proper access control so that only authorized users can access them. If an unauthorized user has already gained access to these files on your production system(s) then they can almost certainly get a heap dump from the broker's JVM and pull out the password that way. The fundamental issue here is that the broker has to _use_ these passwords which means no matter how they are masked they must be able to be unmasked at run-time by the broker. This is why we refer to this process as _masking_ and not _encrypting_. The best we can do is to simply obfuscate the password. I don't see any way around this.
Furthermore, the codec implementation is *pluggable*. If you don't like the default implementation then you can implement any kind of masking behavior you want. Your plugin implementation can read from system properties, environment variables, a remote repository, etc.
was (Author: jbertram):
If you want to set a system property named {{AMQ_PASSWORD_CODEC_INIT_KEY}} and then use that value in your broker configuration then you can _already_ do that via system property substitution. For example, you can add a line like this in {{etc/artemis.profile}} to define the system property with your chosen key value:
{noformat}
JAVA_ARGS="-DAMQ_PASSWORD_CODEC_INIT_KEY=changeit"{noformat}
And then use that property in {{bootstrap.xml}}:
{code:xml}
<broker xmlns="http://activemq.org/schema">
<web bind="https://0.0.0.0:8161" path="web"
keyStorePath="/var/run/stores/keystore/keystore.jks"
passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=${AMQ_PASSWORD_CODEC_INIT_KEY}"
keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
</web>
</broker>{code}
You could even use an environment variable for the value of the key in {{artemis.profile}} instead so that it's not actually in text file.
However, in either case I don't believe you're significantly increasing the security of your system. These configuration files should be secured with proper access control so that only authorized users can access them. If an unauthorized user has already gained access to these files on your production system(s) then they can almost certainly get a heap dump from the broker's JVM and pull out the password that way. The fundamental issue here is that the broker has to _use_ these passwords which means no matter how they are masked they must be able to be unmasked at run-time by the broker. This is why we refer to this process as _masking_ and not _encrypting_. The best we can do is to simply obfuscate the password. I don't see any way around this.
Furthermore, the codec implementation is *pluggable*. If you don't like the default implementation then you can implement any kind of masking behavior you want. Your plugin implementation can read from system properties, environment variables, a remote repository, etc.
> Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
> -----------------------------------------------
>
> Key: ARTEMIS-3488
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
> Project: ActiveMQ Artemis
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.18.0
> Reporter: Valeriy Ak
> Priority: Major
> Labels: password, security
>
> Currently all passwords could be masked in broker.xml, bootstap.xml
> However for simmetric password used BlowfishAlgorithm it use default internalKey= *clusterpassword* (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
>
> Also DefaultSensitiveStringCodec (release has only this implementation) has option to change initKey, but it looks too silly:
> broker.xml
> {code:java}
> <configuration>
> <core xmlns="urn:activemq:core">
> <mask-password>true</mask-password>
> <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
> <acceptors>
> <acceptor name="artemis">
> tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
> </acceptor>
> </acceptors>
> </core>
> </configuration>
> {code}
> bootstrap.xml
> {code:java}
> <broker xmlns="http://activemq.org/schema">
> <web bind="https://0.0.0.0:8161" path="web"
> keyStorePath="/var/run/stores/keystore/keystore.jks"
> passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
> keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
> </web>
> </broker> {code}
>
> So .. it just added another step for a hacker to get all passwords.
> For examle - it easy to decrypt all passwords uses tool like -
> [http://blowfish.online-domain-tools.com/])
>
> What need to do:
> # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD)
> # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey by default. If key passed - use it
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)