You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Valeriy Ak (Jira)" <ji...@apache.org> on 2021/09/17 07:47:00 UTC

[jira] [Created] (ARTEMIS-3488) Create env variable AMQ_PASSWORD_CODEC_INIT_KEY

Valeriy Ak created ARTEMIS-3488:
-----------------------------------

             Summary: Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
                 Key: ARTEMIS-3488
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
             Project: ActiveMQ Artemis
          Issue Type: New Feature
          Components: Configuration
    Affects Versions: 2.18.0
            Reporter: Valeriy Ak


Currently all passwords could be masked in broker.xml, bootstap.xml

However for simmetric password used BlowfishAlgorithm it use default internalKey= *clusterpassword* (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)

 

Also DefaultSensitiveStringCodec (image has only this implementation) has option to change initKey, but it look too silly:

broker.xml
{code:java}
<configuration>

    <core xmlns="urn:activemq:core">

    <mask-password>true</mask-password> 
    <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig</password-codec>

    <acceptors>
        <acceptor name="artemis">
            tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
        </acceptor>
    </acceptors>
</core>
</configuration>

 {code}
bootstrap.xml
{code:java}
<broker xmlns="http://activemq.org/schema">
    <web bind="https://0.0.0.0:8161" path="web"
         keyStorePath="/var/run/stores//keystore/keystore.jks"
         passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig"
         keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
     </web>
</broker> {code}
 

So .. it just added another step for hacker to get all passwords. 
For examle - it easy to get all passwords uses tool like - 
http://blowfish.online-domain-tools.com/)

 

What need to do:
 # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD)
 # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey by default. If key passed - use it

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)