Uploaded image for project: 'ActiveMQ Artemis'
  1. ActiveMQ Artemis
  2. ARTEMIS-3488

Create env variable AMQ_PASSWORD_CODEC_INIT_KEY

    XMLWordPrintableJSON

Details

    • Important

    Description

      Currently all passwords could be masked in broker.xml, bootstap.xml

      However for simmetric password used BlowfishAlgorithm it use default internalKey= clusterpassword (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)

       

      Also DefaultSensitiveStringCodec (release has only this implementation) has option to change initKey, but it looks too silly:

      broker.xml

      <configuration>
      
          <core xmlns="urn:activemq:core">
      
          <mask-password>true</mask-password> 
          <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
      
          <acceptors>
              <acceptor name="artemis">
                  tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
              </acceptor>
          </acceptors>
      </core>
      </configuration>
      
       

      bootstrap.xml

      <broker xmlns="http://activemq.org/schema">
          <web bind="https://0.0.0.0:8161" path="web"
               keyStorePath="/var/run/stores/keystore/keystore.jks"
               passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit"
               keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)">
           </web>
      </broker> 

       

      So .. it just added another step for a hacker to get all passwords.
      For examle - it easy to decrypt all passwords uses tool like -
      http://blowfish.online-domain-tools.com/)

       

      What need to do:

      1. Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD)
      2. DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey by default. If key passed - use it

       

       

      Attachments

        Activity

          People

            jbertram Justin Bertram
            akvel Valeriy Ak
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 40m
                1h 40m