[jira] [Resolved] (AMQ-5860) Encrypt connectionPassword in login,conf file when using LDAPLoginModule

Sun, 20 Sep 2015 08:00:26 -0700 

     [ 
https://issues.apache.org/jira/browse/AMQ-5860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christopher L. Shannon resolved AMQ-5860.
-----------------------------------------
    Resolution: Fixed

I have applied this to master.  A password can now be encrypted using the same 
encrypted password strategy as described here: 
http://activemq.apache.org/encrypted-passwords.html

An example of how to configure this is below:


{noformat}
LdapConfiguration { 
   org.apache.activemq.jaas.EncryptableLDAPLoginModule required 
       debug=true
       initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory 
       connectionURL="ldap://ldap.acme.com:389";
       connectionUsername="cn=mqbroker,ou=Services,dc=acme,dc=com"
       connectionPassword="ENC(yourEncryptedPasswordHere)"
       connectionProtocol=s 
       authentication=simple 
       userBase="ou=User,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
       userRoleName=dummyUserRoleName 
       userSearchMatching="(uid={0})"
       userSearchSubtree=false
       roleBase="ou=Group,ou=ActiveMQ,ou=systems,dc=acme,dc=com"
       roleName=cn 
       roleSearchMatching="(member:=uid={1})"
       roleSearchSubtree=true
       encryptionPassword="encryptionPasswordHere"
       ; 
}; 
{noformat}

Note the use of {{org.apache.activemq.jaas.EncryptableLDAPLoginModule}} .  Also 
the plaintext password can either be provided by setting {{encryptionPassword}} 
with it as a property, or the environment property 
{{ACTIVEMQ_ENCRYPTION_PASSWORD}} can be set and it will be looked up.  Setting 
{{ACTIVEMQ_ENCRYPTION_PASSWORD}} as an environment variable is also described 
in the url documentation above.

The wiki page is having issues loading right now but when it is fixed I will 
add this information to the wiki.

> Encrypt connectionPassword in login,conf file when using LDAPLoginModule
> ------------------------------------------------------------------------
>
>                 Key: AMQ-5860
>                 URL: https://issues.apache.org/jira/browse/AMQ-5860
>             Project: ActiveMQ
>          Issue Type: Improvement
>          Components: Broker
>    Affects Versions: 5.11.1
>            Reporter: JIE CHEN
>            Assignee: Christopher L. Shannon
>            Priority: Critical
>
> Current the connectionPassword can only be clear text in login.conf file if 
> using LDAPLoginModule. It is important to encrypt the password otherwise it 
> will be a big security issue in some user case



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to