You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Valeriy Ak (Jira)" <ji...@apache.org> on 2021/09/17 07:47:00 UTC
[jira] [Created] (ARTEMIS-3488) Create env variable
AMQ_PASSWORD_CODEC_INIT_KEY
Valeriy Ak created ARTEMIS-3488:
-----------------------------------
Summary: Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
Key: ARTEMIS-3488
URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
Project: ActiveMQ Artemis
Issue Type: New Feature
Components: Configuration
Affects Versions: 2.18.0
Reporter: Valeriy Ak
Currently all passwords could be masked in broker.xml, bootstap.xml
However for simmetric password used BlowfishAlgorithm it use default internalKey= *clusterpassword* (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
Also DefaultSensitiveStringCodec (image has only this implementation) has option to change initKey, but it look too silly:
broker.xml
{code:java}
<configuration>
<core xmlns="urn:activemq:core">
<mask-password>true</mask-password>
<password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig</password-codec>
<acceptors>
<acceptor name="artemis">
tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
</acceptor>
</acceptors>
</core>
</configuration>
{code}
bootstrap.xml
{code:java}
<broker xmlns="http://activemq.org/schema">
<web bind="https://0.0.0.0:8161" path="web"
keyStorePath="/var/run/stores//keystore/keystore.jks"
passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig"
keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
</web>
</broker> {code}
So .. it just added another step for hacker to get all passwords.
For examle - it easy to get all passwords uses tool like -
http://blowfish.online-domain-tools.com/)
What need to do:
# Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD)
# DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey by default. If key passed - use it
--
This message was sent by Atlassian Jira
(v8.3.4#803005)