[
https://issues.apache.org/jira/browse/ARTEMIS-3794?focusedWorklogId=788136&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-788136
]
ASF GitHub Bot logged work on ARTEMIS-3794:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 06/Jul/22 04:55
Start Date: 06/Jul/22 04:55
Worklog Time Spent: 10m
Work Description: brusdev commented on code in PR #4135:
URL: https://github.com/apache/activemq-artemis/pull/4135#discussion_r914414526
##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java:
##########
@@ -584,15 +585,15 @@ public synchronized void start() {
realTrustStorePassword = trustStorePassword;
} else {
realKeyStorePath =
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME), keyStorePath).map(v ->
useDefaultSslContext ? keyStorePath :
v).filter(Objects::nonNull).findFirst().orElse(null);
- realKeyStorePassword =
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v
-> useDefaultSslContext ? keyStorePassword :
v).filter(Objects::nonNull).findFirst().orElse(null);
+ realKeyStorePassword =
processSslPasswordProperty(Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v
-> useDefaultSslContext ? keyStorePassword :
v).filter(Objects::nonNull).findFirst().orElse(null));
Review Comment:
If the purpose is to override keyStore/trustStore passwords obtained from
topology with encrypted system properties maybe we should use system properties
to set the mask mode and the password codec too, i.e.
'org.apache.activemq.ssl.passwordCodec', the server and the client could use a
different mask mode or password codec.
Issue Time Tracking
-------------------
Worklog Id: (was: 788136)
Time Spent: 2h 10m (was: 2h)
> "org.apache.activemq.ssl.keyStorePassword" and
> "org.apache.activemq.ssl.trustStorePassword" system properties should support
> ENC(...) format
> --------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-3794
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3794
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Configuration
> Affects Versions: 2.19.1
> Reporter: Apache Dev
> Priority: Major
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> In order to set client keyStore/trustStore passwords, overriding those
> obtained by topology updates from brokers (see ARTEMIS-1157), we need to set
> system properties.
> Such properties could be logged in traces or be present in dumps.
> It would be a more secure practice to handle ENC(...) format to mask them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
