[
https://issues.apache.org/jira/browse/ARTEMIS-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17418188#comment-17418188
]
Justin Bertram commented on ARTEMIS-3488:
-----------------------------------------
bq. For example bootstrap.xml, broker.xml could be added from git repository if
it not countain any secrets!, and AMQ_PASSWORD_CODEC_INIT_KEY could added from
Vault.
As noted, you can _already_ do this same basic thing with all the existing
functionality.
bq. So my new feautre just make artemis more cloud friendly and flexibility
(like you alredy done for AMQ_USER, AMQ_PASSWORD etc env params)
What specifically was done for {{AMQ_USER}}, {{AMQ_PASSWORD}}, etc.?
Perhaps it would be best if you sent a PR with your prospective changes so I
could better understand what you're proposing. Would you be willing to do that?
> Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
> -----------------------------------------------
>
> Key: ARTEMIS-3488
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
> Project: ActiveMQ Artemis
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.18.0
> Reporter: Valeriy Ak
> Priority: Major
> Labels: password, security
>
> Currently all passwords could be masked in broker.xml, bootstap.xml
> However for simmetric password used BlowfishAlgorithm it use default
> internalKey= *clusterpassword*
> (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
>
> Also DefaultSensitiveStringCodec (release has only this implementation) has
> option to change initKey, but it looks too silly:
> broker.xml
> {code:java}
> <configuration>
> <core xmlns="urn:activemq:core">
> <mask-password>true</mask-password>
>
> <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
> <acceptors>
> <acceptor name="artemis">
>
> tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
> </acceptor>
> </acceptors>
> </core>
> </configuration>
> {code}
> bootstrap.xml
> {code:java}
> <broker xmlns="http://activemq.org/schema";>
> <web bind="https://0.0.0.0:8161"; path="web"
> keyStorePath="/var/run/stores/keystore/keystore.jks"
>
> passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
> keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
> </web>
> </broker> {code}
>
> So .. it just added another step for a hacker to get all passwords.
> For examle - it easy to decrypt all passwords uses tool like -
> [http://blowfish.online-domain-tools.com/])
>
> What need to do:
> # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER,
> AMQ_PASSWORD)
> # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as
> initKey by default. If key passed - use it
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
