[jira] [Reopened] (ARTEMIS-3488) Create env variable AMQ_PASSWORD_CODEC_INIT_KEY

Wed, 06 Oct 2021 10:33:10 -0700 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Bertram reopened ARTEMIS-3488:
-------------------------------------
      Assignee: Justin Bertram

> Create env variable AMQ_PASSWORD_CODEC_INIT_KEY
> -----------------------------------------------
>
>                 Key: ARTEMIS-3488
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3488
>             Project: ActiveMQ Artemis
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 2.18.0
>            Reporter: Valeriy Ak
>            Assignee: Justin Bertram
>            Priority: Major
>              Labels: password, security
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> Currently all passwords could be masked in broker.xml, bootstap.xml
> However for simmetric password used BlowfishAlgorithm it use default 
> internalKey= *clusterpassword* 
> (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
>  
> Also DefaultSensitiveStringCodec (release has only this implementation) has 
> option to change initKey, but it looks too silly:
> broker.xml
> {code:java}
> <configuration>
>     <core xmlns="urn:activemq:core">
>     <mask-password>true</mask-password> 
>     
> <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
>     <acceptors>
>         <acceptor name="artemis">
>             
> tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
>         </acceptor>
>     </acceptors>
> </core>
> </configuration>
>  {code}
> bootstrap.xml
> {code:java}
> <broker xmlns="http://activemq.org/schema";>
>     <web bind="https://0.0.0.0:8161"; path="web"
>          keyStorePath="/var/run/stores/keystore/keystore.jks"
>          
> passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
>          keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
>      </web>
> </broker> {code}
>  
> So .. it just added another step for a hacker to get all passwords. 
>  For examle - it easy to decrypt all passwords uses tool like - 
>  [http://blowfish.online-domain-tools.com/])
>  
> What need to do:
>  # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, 
> AMQ_PASSWORD)
>  # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as 
> initKey by default. If key passed - use it
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to