[
https://issues.apache.org/jira/browse/ARTEMIS-3488?focusedWorklogId=658462&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-658462
]
ASF GitHub Bot logged work on ARTEMIS-3488:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 30/Sep/21 16:04
Start Date: 30/Sep/21 16:04
Worklog Time Spent: 10m
Work Description: Akvel commented on pull request #3780:
URL: https://github.com/apache/activemq-artemis/pull/3780#issuecomment-931457986
@jbe
> @Akvel, the parameter is already in the `artemis` script which is called
by `docker-run.sh`. I don't see how adding it to `docker-run.sh` would be
helpful.
>
> Are you suggesting that a place to set the _value_ of
`ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY` should be added to
`docker-run.sh`? If so, I would push back on that since one of the goals with
adding this environment property in the first place is so that the value of the
key _doesn't_ appear in any file (script or otherwise). Whoever calls
`docker-run.sh` can set `ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY` in their
environment.
You are rigth. I miss that artemis alredy get this param from env.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 658462)
Time Spent: 1h (was: 50m)
> Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
> -----------------------------------------------
>
> Key: ARTEMIS-3488
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
> Project: ActiveMQ Artemis
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.18.0
> Reporter: Valeriy Ak
> Priority: Major
> Labels: password, security
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Currently all passwords could be masked in broker.xml, bootstap.xml
> However for simmetric password used BlowfishAlgorithm it use default
> internalKey= *clusterpassword*
> (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
>
> Also DefaultSensitiveStringCodec (release has only this implementation) has
> option to change initKey, but it looks too silly:
> broker.xml
> {code:java}
> <configuration>
> <core xmlns="urn:activemq:core">
> <mask-password>true</mask-password>
>
> <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
> <acceptors>
> <acceptor name="artemis">
>
> tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
> </acceptor>
> </acceptors>
> </core>
> </configuration>
> {code}
> bootstrap.xml
> {code:java}
> <broker xmlns="http://activemq.org/schema";>
> <web bind="https://0.0.0.0:8161"; path="web"
> keyStorePath="/var/run/stores/keystore/keystore.jks"
>
> passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
> keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
> </web>
> </broker> {code}
>
> So .. it just added another step for a hacker to get all passwords.
> For examle - it easy to decrypt all passwords uses tool like -
> [http://blowfish.online-domain-tools.com/])
>
> What need to do:
> # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER,
> AMQ_PASSWORD)
> # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as
> initKey by default. If key passed - use it
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
