Details
-
New Feature
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.18.0
-
Important
Description
Currently all passwords could be masked in broker.xml, bootstap.xml
However for simmetric password used BlowfishAlgorithm it use default internalKey= clusterpassword (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129)
Also DefaultSensitiveStringCodec (release has only this implementation) has option to change initKey, but it looks too silly:
broker.xml
<configuration>
<core xmlns="urn:activemq:core">
<mask-password>true</mask-password>
<password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit</password-codec>
<acceptors>
<acceptor name="artemis">
tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10
</acceptor>
</acceptors>
</core>
</configuration>
bootstrap.xml
<broker xmlns="http://activemq.org/schema"> <web bind="https://0.0.0.0:8161" path="web" keyStorePath="/var/run/stores/keystore/keystore.jks" passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeit" keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)"> </web> </broker>
So .. it just added another step for a hacker to get all passwords.
For examle - it easy to decrypt all passwords uses tool like -
http://blowfish.online-domain-tools.com/)
What need to do:
- Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD)
- DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey by default. If key passed - use it
Attachments
Issue Links
- relates to
-
ARTEMIS-4042 DefaultSensitiveStringCodec - read ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY env if system property is not set
-
- Closed
-
-
-
- Closed
-
- links to
