[
https://issues.apache.org/jira/browse/AMQ-9746?focusedWorklogId=985789&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-985789
]
ASF GitHub Bot logged work on AMQ-9746:
---------------------------------------
Author: ASF GitHub Bot
Created on: 04/Oct/25 17:01
Start Date: 04/Oct/25 17:01
Worklog Time Spent: 10m
Work Description: jbonofre merged PR #1502:
URL: https://github.com/apache/activemq/pull/1502
Issue Time Tracking
-------------------
Worklog Id: (was: 985789)
Time Spent: 0.5h (was: 20m)
> Request for Securing ACTIVEMQ_ENCRYPTION_PASSWORD in ActiveMQ 6.1.7
> WebConsole Configuration
> --------------------------------------------------------------------------------------------
>
> Key: AMQ-9746
> URL: https://issues.apache.org/jira/browse/AMQ-9746
> Project: ActiveMQ Classic
> Issue Type: Bug
> Components: Web Console
> Environment: h3. *ActiveMQ Version:*
> {{6.1.7}}
> Reporter: Nagaraju
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> We are currently configuring the *webconsole login* in ActiveMQ 6.1.7 using
> {{EncryptedPropertiesLogin}} via JAAS, with {{users-enc.properties}}
> containing encrypted passwords.
> This configuration requires the use of the environment variable
> {{{}ACTIVEMQ_ENCRYPTION_PASSWORD{}}}, which must currently be stored in
> *plaintext* as either:
> * A system environment variable
> * A system property (e.g., via {{{}System.setProperty(){}}})
> This approach raises {*}security concerns{*}, as the encryption key is
> exposed in plaintext, especially when starting the broker via scripts or
> containerized environments.
> *login.config*
> EncryptedPropertiesLogin {
> org.apache.activemq.jaas.PropertiesLoginModule required
>
>
> org.apache.activemq.jaas.properties.user="users-enc.properties"
>
> org.apache.activemq.jaas.properties.group="groups.properties"
> decrypt=true;
> };
> Is there a supported or recommended mechanism in ActiveMQ 6.1.7 to *avoid
> using a plain-text encryption password*
> ({{{}ACTIVEMQ_ENCRYPTION_PASSWORD{}}})?
> Specifically:
> * Can we *store the encryption password securely in a file* (e.g.,
> {{{}activemq_enc_pwd.properties{}}}) and have ActiveMQ or the JAAS module
> {*}read and decrypt it at runtime{*}?
> * Is it possible to plug in a custom {{StringPBEConfig}} implementation or
> extend {{PropertiesLoginModule}} to load the encryption password
> programmatically?
>
> We would like to keep {{users-enc.properties}} encrypted for security,
> *without exposing {{ACTIVEMQ_ENCRYPTION_PASSWORD}} in plain text* on disk or
> environment variables.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
