[
https://issues.apache.org/jira/browse/ARTEMIS-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Valeriy Ak updated ARTEMIS-3488:
--------------------------------
Description:
Currently all passwords could be masked in broker.xml, bootstap.xml
However for simmetric password used BlowfishAlgorithm it use default
internalKey= *clusterpassword*
(org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
Also DefaultSensitiveStringCodec (release has only this implementation) has
option to change initKey, but it looks too silly:
broker.xml
{code:java}
<configuration>
<core xmlns="urn:activemq:core">
<mask-password>true</mask-password>
<password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
<acceptors>
<acceptor name="artemis">
tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
</acceptor>
</acceptors>
</core>
</configuration>
{code}
bootstrap.xml
{code:java}
<broker xmlns="http://activemq.org/schema";>
<web bind="https://0.0.0.0:8161"; path="web"
keyStorePath="/var/run/stores/keystore/keystore.jks"
passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
</web>
</broker> {code}
So .. it just added another step for a hacker to get all passwords.
For examle - it easy to decrypt all passwords uses tool like -
[http://blowfish.online-domain-tools.com/])
What need to do:
# Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD)
# DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey
by default. If key passed - use it
was:
Currently all passwords could be masked in broker.xml, bootstap.xml
However for simmetric password used BlowfishAlgorithm it use default
internalKey= *clusterpassword*
(org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
Also DefaultSensitiveStringCodec (release has only this implementation) has
option to change initKey, but it look too silly:
broker.xml
{code:java}
<configuration>
<core xmlns="urn:activemq:core">
<mask-password>true</mask-password>
<password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
<acceptors>
<acceptor name="artemis">
tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
</acceptor>
</acceptors>
</core>
</configuration>
{code}
bootstrap.xml
{code:java}
<broker xmlns="http://activemq.org/schema";>
<web bind="https://0.0.0.0:8161"; path="web"
keyStorePath="/var/run/stores/keystore/keystore.jks"
passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
</web>
</broker> {code}
So .. it just added another step for a hacker to get all passwords.
For examle - it easy to get all passwords uses tool like -
[http://blowfish.online-domain-tools.com/])
What need to do:
# Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD)
# DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey
by default. If key passed - use it
> Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
> -----------------------------------------------
>
> Key: ARTEMIS-3488
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
> Project: ActiveMQ Artemis
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.18.0
> Reporter: Valeriy Ak
> Priority: Major
> Labels: password, security
>
> Currently all passwords could be masked in broker.xml, bootstap.xml
> However for simmetric password used BlowfishAlgorithm it use default
> internalKey= *clusterpassword*
> (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
>
> Also DefaultSensitiveStringCodec (release has only this implementation) has
> option to change initKey, but it looks too silly:
> broker.xml
> {code:java}
> <configuration>
> <core xmlns="urn:activemq:core">
> <mask-password>true</mask-password>
>
> <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
> <acceptors>
> <acceptor name="artemis">
>
> tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
> </acceptor>
> </acceptors>
> </core>
> </configuration>
> {code}
> bootstrap.xml
> {code:java}
> <broker xmlns="http://activemq.org/schema";>
> <web bind="https://0.0.0.0:8161"; path="web"
> keyStorePath="/var/run/stores/keystore/keystore.jks"
>
> passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
> keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
> </web>
> </broker> {code}
>
> So .. it just added another step for a hacker to get all passwords.
> For examle - it easy to decrypt all passwords uses tool like -
> [http://blowfish.online-domain-tools.com/])
>
> What need to do:
> # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER,
> AMQ_PASSWORD)
> # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as
> initKey by default. If key passed - use it
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
