[
https://issues.apache.org/jira/browse/ARTEMIS-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17417976#comment-17417976
]
Valeriy Ak commented on ARTEMIS-3488:
-------------------------------------
[~jbertram] Thanks for your example, I think this workaround could help me in
my problem.
>However, in either case I don't believe you're significantly increasing the
>security of your system.
It is not so as you thinks.
If you run broker in docker container configs could added from diffrent
sources. For example bootstrap.xml, broker.xml could be added from git
repository if it not countain any secrets!, and AMQ_PASSWORD_CODEC_INIT_KEY
could added from Vault.
It is problem not about runtime. It is problem about maintain broker and
provide access to diffrent peopele configure diffrent parts without compromise
any secrets.
So my new feautre just make artemis more cloud friendly and flexibility (like
you alredy done for AMQ_USER, AMQ_PASSWORD etc env params)
>Furthermore, the codec implementation is *pluggable*.
Yes, but in this way it will be need build my own docker image and store it,
what i would not like to do..
> Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
> -----------------------------------------------
>
> Key: ARTEMIS-3488
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
> Project: ActiveMQ Artemis
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.18.0
> Reporter: Valeriy Ak
> Priority: Major
> Labels: password, security
>
> Currently all passwords could be masked in broker.xml, bootstap.xml
> However for simmetric password used BlowfishAlgorithm it use default
> internalKey= *clusterpassword*
> (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
>
> Also DefaultSensitiveStringCodec (release has only this implementation) has
> option to change initKey, but it looks too silly:
> broker.xml
> {code:java}
> <configuration>
> <core xmlns="urn:activemq:core">
> <mask-password>true</mask-password>
>
> <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
> <acceptors>
> <acceptor name="artemis">
>
> tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
> </acceptor>
> </acceptors>
> </core>
> </configuration>
> {code}
> bootstrap.xml
> {code:java}
> <broker xmlns="http://activemq.org/schema";>
> <web bind="https://0.0.0.0:8161"; path="web"
> keyStorePath="/var/run/stores/keystore/keystore.jks"
>
> passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
> keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
> </web>
> </broker> {code}
>
> So .. it just added another step for a hacker to get all passwords.
> For examle - it easy to decrypt all passwords uses tool like -
> [http://blowfish.online-domain-tools.com/])
>
> What need to do:
> # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER,
> AMQ_PASSWORD)
> # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as
> initKey by default. If key passed - use it
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
