[
https://issues.apache.org/jira/browse/ARTEMIS-3794?focusedWorklogId=788808&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-788808
]
ASF GitHub Bot logged work on ARTEMIS-3794:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 08/Jul/22 00:47
Start Date: 08/Jul/22 00:47
Worklog Time Spent: 10m
Work Description: ryan-highley commented on code in PR #4135:
URL: https://github.com/apache/activemq-artemis/pull/4135#discussion_r916375410
##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java:
##########
@@ -584,15 +585,15 @@ public synchronized void start() {
realTrustStorePassword = trustStorePassword;
} else {
realKeyStorePath =
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME), keyStorePath).map(v ->
useDefaultSslContext ? keyStorePath :
v).filter(Objects::nonNull).findFirst().orElse(null);
- realKeyStorePassword =
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v
-> useDefaultSslContext ? keyStorePassword :
v).filter(Objects::nonNull).findFirst().orElse(null);
+ realKeyStorePassword =
processSslPasswordProperty(Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v
-> useDefaultSslContext ? keyStorePassword :
v).filter(Objects::nonNull).findFirst().orElse(null));
Review Comment:
That's an interesting thought. I based these updates on the approach
handling keyStorePassword and trustStorePassword also applying adequately for
their corresponding system property values.
I'm all for providing essential flexibility, but I've also never had to
provide an alternate password encoding codec to appease PEN testing or
production environment security scans. I'm happy to address that if you see the
need for that additional configuration and associated incremental complexity.
Perhaps we can see if anyone files an enhancement request for specifying an
alternate mask mode and/or password codec with system properties?
Issue Time Tracking
-------------------
Worklog Id: (was: 788808)
Time Spent: 2h 20m (was: 2h 10m)
> "org.apache.activemq.ssl.keyStorePassword" and
> "org.apache.activemq.ssl.trustStorePassword" system properties should support
> ENC(...) format
> --------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-3794
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3794
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Configuration
> Affects Versions: 2.19.1
> Reporter: Apache Dev
> Priority: Major
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> In order to set client keyStore/trustStore passwords, overriding those
> obtained by topology updates from brokers (see ARTEMIS-1157), we need to set
> system properties.
> Such properties could be logged in traces or be present in dumps.
> It would be a more secure practice to handle ENC(...) format to mask them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
