[jira] [Commented] (ARTEMIS-3488) Create env variable AMQ_PASSWORD_CODEC_INIT_KEY

Wed, 22 Sep 2021 02:23:06 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17418483#comment-17418483
 ] 

Valeriy Ak commented on ARTEMIS-3488:
-------------------------------------

{quote}As noted, you can _already_ do this same basic thing with all the 
existing functionality.
{quote}
Yes. But it not obviously by documentation :)  
{quote}Perhaps it would be best if you sent a PR with your prospective changes 
so I could better understand what you're proposing. Would you be willing to do 
that?
{quote}
[~jbertram] sure, here you are - draft 
[https://github.com/apache/activemq-artemis/pull/3767]

 

> Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
> -----------------------------------------------
>
>                 Key: ARTEMIS-3488
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
>             Project: ActiveMQ Artemis
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 2.18.0
>            Reporter: Valeriy Ak
>            Priority: Major
>              Labels: password, security
>
> Currently all passwords could be masked in broker.xml, bootstap.xml
> However for simmetric password used BlowfishAlgorithm it use default 
> internalKey= *clusterpassword* 
> (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
>  
> Also DefaultSensitiveStringCodec (release has only this implementation) has 
> option to change initKey, but it looks too silly:
> broker.xml
> {code:java}
> <configuration>
>     <core xmlns="urn:activemq:core">
>     <mask-password>true</mask-password> 
>     
> <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
>     <acceptors>
>         <acceptor name="artemis">
>             
> tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
>         </acceptor>
>     </acceptors>
> </core>
> </configuration>
>  {code}
> bootstrap.xml
> {code:java}
> <broker xmlns="http://activemq.org/schema";>
>     <web bind="https://0.0.0.0:8161"; path="web"
>          keyStorePath="/var/run/stores/keystore/keystore.jks"
>          
> passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
>          keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
>      </web>
> </broker> {code}
>  
> So .. it just added another step for a hacker to get all passwords. 
>  For examle - it easy to decrypt all passwords uses tool like - 
>  [http://blowfish.online-domain-tools.com/])
>  
> What need to do:
>  # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, 
> AMQ_PASSWORD)
>  # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as 
> initKey by default. If key passed - use it
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to