You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2018/09/21 15:51:01 UTC

[2/2] activemq-artemis git commit: ARTEMIS-2087 support masked passwords in management.xml

ARTEMIS-2087 support masked passwords in management.xml


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/07e14c15
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/07e14c15
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/07e14c15

Branch: refs/heads/master
Commit: 07e14c1582c44409ed778805ff5c0018f8671544
Parents: cf525f0
Author: Justin Bertram <jb...@apache.org>
Authored: Thu Sep 13 16:50:07 2018 -0500
Committer: Clebert Suconic <cl...@apache.org>
Committed: Fri Sep 21 11:50:38 2018 -0400

----------------------------------------------------------------------
 .../cli/factory/jmx/ManagementFactory.java      |  2 +-
 .../activemq/artemis/dto/JMXConnectorDTO.java   | 17 +++++++++++----
 docs/user-manual/en/management.md               | 10 +++++++--
 docs/user-manual/en/masking-passwords.md        | 23 ++++++++++++++++++++
 4 files changed, 45 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/07e14c15/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
----------------------------------------------------------------------
diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
index 235cdf6..79e241e 100644
--- a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
+++ b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
@@ -60,7 +60,7 @@ public class ManagementFactory {
       return createJmxAclConfiguration(new URI(configuration), artemisHome, artemisInstance, artemisURIInstance);
    }
 
-   public static ManagementContext create(ManagementContextDTO config) {
+   public static ManagementContext create(ManagementContextDTO config) throws Exception {
       ManagementContext context = new ManagementContext();
 
       if (config.getAuthorisation() != null) {

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/07e14c15/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
----------------------------------------------------------------------
diff --git a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
index 617a570..bd78481 100644
--- a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
+++ b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
@@ -22,6 +22,8 @@ import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlAttribute;
 import javax.xml.bind.annotation.XmlRootElement;
 
+import org.apache.activemq.artemis.utils.PasswordMaskingUtil;
+
 @XmlRootElement(name = "connector")
 @XmlAccessorType(XmlAccessType.FIELD)
 public class JMXConnectorDTO {
@@ -62,6 +64,9 @@ public class JMXConnectorDTO {
    @XmlAttribute (name = "trust-store-password")
    String trustStorePassword;
 
+   @XmlAttribute (name = "password-codec")
+   String passwordCodec;
+
    public String getConnectorHost() {
       return connectorHost;
    }
@@ -94,8 +99,8 @@ public class JMXConnectorDTO {
       return keyStorePath;
    }
 
-   public String getKeyStorePassword() {
-      return keyStorePassword;
+   public String getKeyStorePassword() throws Exception {
+      return getPassword(keyStorePassword);
    }
 
    public String getTrustStoreProvider() {
@@ -106,7 +111,11 @@ public class JMXConnectorDTO {
       return trustStorePath;
    }
 
-   public String getTrustStorePassword() {
-      return trustStorePassword;
+   public String getTrustStorePassword() throws Exception {
+      return getPassword(trustStorePassword);
+   }
+
+   private String getPassword(String password) throws Exception {
+      return PasswordMaskingUtil.resolveMask(null, password, this.passwordCodec);
    }
 }

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/07e14c15/docs/user-manual/en/management.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/management.md b/docs/user-manual/en/management.md
index 82bf142..90546a2 100644
--- a/docs/user-manual/en/management.md
+++ b/docs/user-manual/en/management.md
@@ -444,7 +444,7 @@ You can also configure the connector using the following:
    
 - `key-store-password`
    
-  The keystore password.
+  The keystore password. This can be [masked](masking-passwords.md).
    
 - `key-store-provider`
 
@@ -456,12 +456,18 @@ You can also configure the connector using the following:
    
 - `trust-store-password`
    
-  The trustore password.
+  The trustore password. This can be [masked](masking-passwords.md).
    
 - `trust-store-provider`
    
   The provider; `JKS` by default.
 
+- `password-codec`
+
+  The fully qualified class name of the password codec to use. See the
+  [password masking](masking-passwords.md) documentation for more details on
+  how this works.
+
 > **Note:**
 >
 > It is important to note that the rmi registry will pick an ip address to bind

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/07e14c15/docs/user-manual/en/masking-passwords.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/masking-passwords.md b/docs/user-manual/en/masking-passwords.md
index c7332c7..7824b11 100644
--- a/docs/user-manual/en/masking-passwords.md
+++ b/docs/user-manual/en/masking-passwords.md
@@ -155,6 +155,29 @@ codec other than the default one. For example
 </web>
 ```
 
+#### Passwords in management.xml
+
+The broker embeds a JMX connector which is used for management. The connector can
+be secured using SSL and it can be configured with a keystore password and/or
+truststore password which by default are specified in plain text forms.
+
+To mask these passwords you need to use `ENC()` syntax. The `mask-password`
+boolean is not supported here.
+
+You can also set the `password-codec` attribute if you want to use a password
+codec other than the default one. For example
+
+```xml
+<connector
+      connector-port="1099"
+      connector-host="localhost"
+      secured="true"
+      key-store-path="myKeystore.jks"
+      key-store-password="ENC(3a34fd21b82bf2a822fa49a8d8fa115d"
+      trust-store-path="myTruststore.jks"
+      trust-store-password="ENC(3a34fd21b82bf2a822fa49a8d8fa115d)"/>
+```
+
 ### Passwords for the JCA Resource Adapter
 
 Both ra.xml and MDB activation configuration have a `password` property that