Hi all, At the moment I am currently investigating how to secure up our implementation of Active MQ. I have done some reading and have managed to setup a test system running SSL and the Simple Authentication Plugin. This seems pretty simple, but I have a couple of questions about the level of security it offers.
1) If someone asks for the implementation to be FIPS 140 complaint, how would we go about doing that. What library does ActiveMQ use for its encryption/decryption/RNGs? I guess this apply's to the SSL transport, and the simpleAuthenticationPlugin when it is using encrypted passwords. 2) Is there a way to change the password encryption algorithm from PBEWithMD5AndDES to something else as DES is pretty poor. 3) Is there anything out there that allows the key storage for use with the password encryption to not have to be included in the configuration file? I.E a custom launcher (wrapper as we use the windows implementation with our windows product) that can read the key from an external location? 4) Whats the thoughts on running anonymous authentication with SSL configured relying on the trusted keystores as a way of restricting access (assuming that access to the machines keystores are not easy) so that it password storage for the simpleAuthenticationPlugin becomes redundant. Given that we don't have the ability to tie the Active MQ setup in with an LDAP Server to control access to the brokers, am I right in thinking my only option is using the simpleAuthenticationPlugin along with SSL or just abandoning SSL and running IPSec over the top of the setup. Am I missing something? Thanks -- View this message in context: http://activemq.2283324.n4.nabble.com/Securing-up-ActiveMQ-tp4705767.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
