Hi All,
Please review this enhancement to replace plain-text password for JMX
agent with SHA-256 hash.
Issue: https://bugs.openjdk.java.net/browse/JDK-5016517
<https://bugs.openjdk.java.net/browse/JDK-5016517>
webrev: http://cr.openjdk.java.net/~hb/5016517/webrev.00/
Overview of implementation:
Currently, the JMX agent password file used to authenticate user, stores
user name and password as clear text. Though system level restrictions
are recommended for jmx password file, passwords are vulnerable since
they are stored in clear. The current RFE proposes to store passwords as
SHA256 hash instead of clear text.
In current implementation, if password file is writable, and if
passwords are in clear, they will be replaced by SHA256 hash upon agent
boot-up or when login attempt is made.
The file,
src/jdk.management.agent/share/conf/jmxremote.password.template contains
more details about the implementation.
- Harsha
